10

I am unable to trigger azure pipeline build from azureCLI task

Task :

- task: AzureCLI@2
  inputs:
    azureSubscription: 'Free Trial(My subscription)'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az --version
      echo "Running : az account show"
      az account show
      #export AZURE_DEVOPS_EXT_PAT='mypat'
      $env:AZURE_DEVOPS_EXT_PAT='mypat'
      az pipelines create --name newPipeline --org https://dev.azure.com/AbiNilOrg/ --project azure-devops-kubernetes-terraform --branch master

The output with error :

Running : az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "***",
  "id": "73c1af29-384c-4574-bd88-92d7bb392cfc",
  "isDefault": true,
  "managedByTenants": [],
  "name": "Free Trial",
  "state": "Enabled",
  "tenantId": "***",
  "user": {
    "name": "***",
    "type": "servicePrincipal"
  }
}
WARNING: This command is in preview and under development. Reference and support 
levels: https://aka.ms/CLI_refstatus
ERROR: The requested resource requires user authentication: 
https://dev.azure.com/AbiNilOrg/azure-devops-kubernetes- 
terraform/_apis/serviceendpoint/endpoints
##[error]Script failed with exit code: 1

I understand that azure is unable to form the correct URI to hit the rest point

ERROR: The requested resource requires user authentication: 
https://dev.azure.com/AbiNilOrg/azure-devops-kubernetes- 
terraform/_apis/serviceendpoint/endpoints

The suffix serviceendpoint/endpoints of the URI isnt correct.

ADO guys, if have any idea on this can please help!

Thanks in advace! Nilotpal

Improve this question
2
  • "requires user authentication" - do you know if your service principal has rights to perform actions on that endpoint? Commented Jul 11, 2021 at 8:35
  • Does this answer your question? How to securely login in Az CLI from a DevOps Pipeline Commented Jan 6, 2022 at 7:12

2 Answers 2

Reset to default
8

When you set env:AZURE_DEVOPS_EXT_PAT you still need to login via calling:

az devops login --organization https://dev.azure.com/contoso

because:

If you have already signed in with az login interactively or using user name and password, then you don't have to provide a token as az devops commands now support sign in through az login. However, service principal log in via az login isn't supported, in which case a PAT token is required.

And here this task behing the scene login via service principal what you also see on account show:

  "user": {
    "name": "***",
    "type": "servicePrincipal"
  }

For more details please check documentation here

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks rzysztof Madej. az devops login --organization dev.azure.com/contoso seems to be waiting for the user to enter the token. How can i type the token in a running task. I had already set the env variable for the PAT. The job is indefinitely waiting.
Can you try to do this on regular powershell task?
Yes it worked with simple bash scripts. AzureCLI task seems have bug and dosent works
It was probably not a bug. Basically, you were already aothenticated and thus was a glitch.
1

Setting the AZURE_DEVOPS_EXT_PAT environment variable to a Personal Access Token with Build (Read & Execute) permissions, and running the command below without explicitly logging in, worked out for me on a GitHub workflow.

az pipelines build queue --definition-name $azure_devops_cd_pipeline_name --organization $azure_devops_organisation_url --project $project_name --branch $git_branch

I would expect this to work in Azure DevOps as well.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.