You know how the saying goes - if it ain’t broke don’t fix it. Well, something broke in my Azure Pipeline for Flow Studio App a few days ago, and it took a bit of time to figure it out, so it makes sense to write it down. I’m pretty sure I’ll forget again.

The error is related to AzFileCopy

• AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.

• There was an error with the service principal used for the deployment.

I set up my pipelines years ago and don’t remember what was in them. But there were a few issues:

• I want to switch to Workload Identity Federation thing in Azure Pipelines, it looks like that means I won’t have to keep remembering my keys

• I was using AzureFileCopy@3 which is not the latest version, latest version is v6. It also looks like v3 didn’t support the new credentials.

Steps

• Click the convert button in Azure Pipelines

• Fix AzCopy arguments

• Fix a permission issue

Click the convert button

It created this identity. Hmm no secrets.

Fixing AzCopy arguments

I was using these AzCopy arguments: /S /Y /SetContentType

/S is --recursive=true 
/Y is --overwrite=true 
/SetContentType is apparently a default behaviour now so I didn’t have to set that
--as-subdir=false

This is a new one I needed, because otherwise it was creating the “Drop” folder in Azure Pipelines as the rootfolder in Azure Blob.

Fixing Permissions

For a few hours I was struggling with AzCopy not working with the new credentials, and I don’t understand. I think because previously the credentials impersonated a person. Whereas now I need to grant a certain role to this new identity.

Go to Subscription (or Resource Group, or Storage)’s IAM settings.
Add Role Assignment
Find Storage Blob Data Contributor
Add the service accounts created by Azure Pipelines.

It should look something like this at the end.

and success