0

enter image description here

2024-07-09T23:11:19.7718791Z Complete getting Artifacts From Template 2024-07-09T23:11:19.7719155Z Start deploying artifacts from the template. 2024-07-09T23:11:19.7722609Z Deploy dev_keyVault_linkedService of type linkedService 2024-07-09T23:11:19.9503411Z For Artifact: dev_keyVault_linkedService: ArtifactDeploymentTask status: 403; status message: Forbidden 2024-07-09T23:11:19.9506451Z Failed 2024-07-09T23:11:19.9507649Z deploy operation failed 2024-07-09T23:11:19.9509658Z An error occurred during execution: Error: Linked service deployment failed "Failed" 2024-07-09T23:11:19.9543086Z ##[error]Encountered with exception:Error: Linked service deployment failed "Failed" 2024-07-09T23:11:19.9553608Z For Artifact: dev_keyVault_linkedService: Deploy artifact failed: {"code":"ClientIpAddressNotAuthorized","message":"Client Ip address : ...***"} 2024-07-09T23:11:19.9652636Z ##[section]Finishing: Synpase deployment task for workspace: uat01-vm04-d200

Improve this question
2
  • 1. Are you using a self-hosted agent or a MS-hosted agent in your release pipeline? 2. Have you configured any firewall in your synapse workspace?
    – Ziyang Liu-MSFT
    Commented Jul 10 at 6:24
  • The infrastructure team updated the firewall rules without my knowledge. They unchecked the "Allow Azure services and resources to access this workspace"
    – Su1tan
    Commented Jul 10 at 8:20

2 Answers 2

Reset to default
2

Based on the error message , we can conclude that the deployment failed with the error : "ClientIpAddressNotAuthorized" , which means that the request was forbidden due to Workspace not being configured to allow access to the client IP address.

You would need to create or manage the firewall configuration for the Workspace allowing the devops Client IP address to the workspace.

Improve this answer
Recognized by Microsoft Azure Collective
1
  • The infrastructure team updated the firewall rules without my knowledge. Thank you for your help.
    – Su1tan
    Commented Jul 10 at 8:17
1

I can reproduce the issue when I configure the firewall for my workspace but don't add the IP of the agent running the pipeline to the allow list.

enter image description here

If you are using a self-hosted agent, add the IP of this agent to the firewall allow list.

If you are using a MS-hosted agent, you can run Azure CLI to add the IP of the current agent to the firewall and remove it after deployment. Refer to the details below.

  1. Run az synapse workspace firewall-rule create in Azure CLI task to add the current agent IP to firewall.

    enter image description here

    Inline script

$ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
Write-Host "The IP address of current agent machine is $ip"
az synapse workspace firewall-rule create -g {ResourceGroup} -n allowMSAgent --workspace-name {WorkspaceName} --start-ip-address $ip --end-ip-address $ip

  1. Add a PowerShell task or Bash task to wait for a while to let the firewall-rule take effect.

    enter image description here

    Inline script: Start-Sleep -s 30 for PowerShell task and sleep 30 for Bash task

  2. Run Synapse workspace deployment task.

  3. Run az synapse workspace firewall-rule delete in Azure CLI task to delete the rule created in step1.

$ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
Write-Host "The IP address of current agent machine is $ip"
az synapse workspace firewall-rule delete -g {ResourceGroup} --workspace-name {WorkspaceName} -n allowMSAgent --yes

  1. Overview of the tasks:

    enter image description here

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.