I'm new to using Azure DevOps with SQL Server. Our goal is to create steps that push out a web application (to a different server, not within scope here) then run an idempotent script against a number of databases on our Azure VM. We have deployed the agent to the server and it is listed in the Deployment Groups section as "live".
In preparation for running the database PowerShell scripts, I set up a custom DevopsDeployment Windows Server user account and then used that to create a SQL Server login. This user was assigned to the database role db_backupoperator (following a least-privilege approach) to test the job task.
The DevOps task below threw errors about NT AUTHORITY\SYSTEM not having permission to connect to the database. I had assumed it would run using the credentials supplied in the script, based on the new user/login, but it seemed not:
$userName = "SERVERNAME\DevopsDeployment"
$password = "***"
$serverInstance = "localhost"
$database = "MyDatabase"
$backupFilePath = "D:\DevOps Backups"
$fileDate = $(Get-Date -format 'yyyyMMdd')
$backupFile = "$backupFilePath\$database-$fileDate.bak"
$pWord = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName, $pWord
Backup-SqlDatabase -ServerInstance $serverInstance -Database $database -BackupFile $backupFile -CopyOnly -CompressionOption On -SqlCredential $credentialI confirmed this by successfully running the following after adding NT AUTHORITY\SYSTEM to the database role db_backupoperator (credential parameters removed):
Backup-SqlDatabase -ServerInstance $serverInstance -Database $database -BackupFile $backupFile -CopyOnly -CompressionOption OnI read elsewhere on SO that is a bad idea to allow functions to run as NT AUTHORITY\SYSTEM in case of a data breach. However, I see nowhere in the DevOps task configuration panels to alter what login account the agent runs under. Nor have I been able to find any Microsoft documentation on this subject.
Therefore I'm seeking an authoritative answer whether the DevOps VM agent has to run as NT AUTHORITY\SYSTEM , and then the necessary allowances are made against this account directly, or am I completely missing something?
1条答案
按热度按时间ao218c7q1#
After much trial and error it emerges that Azure DevOps server agents are installed and run using the
NT AUTHORITY\SYSTEMaccount. At the time of posting, there is no way to configure or alter this.It makes sense however because of the scope of operations that may need to be performed on the server.
Because we needed to perform database backups, DML scripts and other scripts that accessed the
dbocontext, we had to assign thedb_ownerrole toNT AUTHORITY\SYSTEMto overcome permission errors.