You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/synapse-analytics/cicd/continuous-integration-delivery.md
+8-9Lines changed: 8 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: liudan66
5
5
ms.service: synapse-analytics
6
6
ms.subservice: cicd
7
7
ms.topic: conceptual
8
-
ms.date: 10/08/2021
8
+
ms.date: 01/25/2024
9
9
ms.author: liud
10
10
ms.reviewer: pimorano
11
11
@@ -56,14 +56,13 @@ To automate the deployment of an Azure Synapse workspace to multiple environment
56
56
- Set up a blank workspace to deploy to:
57
57
58
58
1. Create a new Azure Synapse workspace.
59
-
1. Grant the VM agent and the service principal Contributor permission to the resource group in which the new workspace is hosted.
60
-
1. In the workspace, don't configure the Git repository connection.
61
-
1. In the Azure portal, find the new Azure Synapse workspace, and then grant Owner permission to yourself and to the user that will run the Azure DevOps pipeline Azure Synapse workspace.
62
-
1. Add the Azure DevOps VM agent and the service principal to the Contributor role for the workspace. (The role should have been inherited, but verify that it is.)
63
-
1. In the Azure Synapse workspace, go to **Studio** > **Manage** > **Access Control**. Add the Azure DevOps VM agent and the service principal to the workspace admin group.
64
-
1. Open the storage account that's used for the workspace. On the **Identity and access management** pane, add the VM agent and the service principal to the Storage Blob Data Contributor role.
65
-
1. Create a key vault in the support subscription, and ensure that both the existing workspace and the new workspace have at least GET and LIST permissions to the vault.
66
-
1. For the automated deployment to work, ensure that any connection strings that are specified in your linked services are in the key vault.
59
+
2. Grant the service principal the following permissions to the new Synapse workspace:
3. In the workspace, don't configure the Git repository connection.
64
+
4. In the Azure Synapse workspace, go to **Studio** > **Manage** > **Access Control**. 4. In the Azure Synapse workspace, go to Studio > Manage > Access Control. Assign the “Synapse Artifact Publisher” to the service principal. If the deployment pipeline will need to deploy managed private endpoints, then assign the “Synapse Administrator” instead.
65
+
5. When you use linked services whose connection information is stored in Azure Key Vault, it is recommended to keep separate key vaults for different environments. You can also configure separate permission levels for each key vault. For example, you might not want your team members to have permissions to production secrets. If you follow this approach, we recommend that you to keep the same secret names across all stages. If you keep the same secret names, you don't need to parameterize each connection string across CI/CD environments because the only thing that changes is the key vault name, which is a separate parameter.
0 commit comments