7

I want to create a Powershell script which executes some AzureRm... commands and follows those up with some Az commands. Reason being that some commands are only available via Az.

When trying to execute these scripts in a release pipeline, the script always fails with the following error:

ERROR: Please run 'az login' to setup account.

Executing the Az commands in a Azure CLI task work as expected, because Az Login is executed by the task.

I don't want to pass the secret required to login to the script if at all possible. I would rather fall back to separating the scripts into two steps in the pipeline.

Is it possible to use the Azcommands within a Azure Powershell task without passing the secrets manually?

Minimal example:

  • Create a new release pipeline
  • Add a task Azure PowerShell
  • Use inline script
  • As script, execute az account show
Improve this question
4
  • which commands? Commented Oct 22, 2018 at 7:37
  • az cosmosdb list-keys and the other cosmos commands are required in my case, but az account show does not work either Commented Oct 22, 2018 at 7:58
  • 1
    powershellgallery.com/packages/CosmosDB/2.1.9.95 try this? Commented Oct 22, 2018 at 8:14
  • I will take a look at that, thanks! Commented Oct 22, 2018 at 9:19

4 Answers 4

Reset to default
4

I figured out this approach - store credentials in job scoped variables (currently only an Azure CLI task allows that) and then re-use in Azure PowerShell task:

  - task: AzureCLI@2
    displayName: 'Azure CLI - get credentials'
    inputs:
      azureSubscription: 'SUBSCRIPTIONNAME'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      addSpnToEnvironment: true
      inlineScript: |
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$($env:servicePrincipalId)"
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$($env:servicePrincipalKey)"
        Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$($env:tenantId)"      

  - task: AzurePowerShell@5
    displayName: 'collector'
    inputs:
      azurePowerShellVersion: LatestVersion
      azureSubscription: 'SUBSCRIPTIONNAME'
      pwsh: true
      scriptType: inlineScript
      inline: |
        az login --service-principal --username "$($env:ARM_CLIENT_ID)" --password "$($env:ARM_CLIENT_SECRET)" --tenant "$($env:ARM_TENANT_ID)"
        ./mixedscript.ps1
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is exactly what I needed, thank you! Now I can run Azure CLI commands in my external PS file.
2

The short term solution I already had in place was passing the ServicePrincipal information into the powershell script and executing az login manually (same as Bevan's answer below).

My long term solution was to replace all Azure CLI calls with "Az Powershell" commands. Luckily, most commands are available by now.

A couple of commands don't have an equivalent commandlet. But if they are available via ARM, you can figure out an alternative command with Powershell.

Many of them involve using New-AzResource/New-AzureRmResource or Invoke-AzResourceAction/Invoke-AzureRmResourceAction

# AzureCLI
az cosmosdb list-keys
# Powershell:
$keys = Invoke-AzResourceAction -Action listKeys `
    -ResourceType "Microsoft.DocumentDb/databaseAccounts" -ApiVersion "2015-04-08" `
    -ResourceGroupName $resourceGroupName -Name $accountName
Improve this answer

1 Comment

BTW one can pass --debug to an az command to find out which exactly API method it calls under the hood. Then, reproduce it with Invoke-AzResourceAction.
1

When I have mixed commands I put this into my Azure Powershell task

az login --service-principal --username "$(ServicePrincipal)" --password "$(AzureDevOps-ServicePrincipal-Secret)" --tenant "$(Azure_Tenant)"

I have my SP and Tenant IDs as a variables and the Secret for the SP stored in Azure KeyVault linked to a Library Variable group. You can alternatively just stored the secret in a normal Variable/Variable Group and hit the padlock icon to secure it.

You may need to run az account set -s $(SubscriptionName) if the SP has access to multiple subscriptions in the same tenant.

Improve this answer

Comments

0

Anyway, it wont work like that, because you have to authenticate to az utility separately. az cli and powershell do not share connection information. you can try and use az step with some command before powershell step. that would force az to auth and after that you can use it inside powershell ste.

Improve this answer

1 Comment

Added an inline Azure CLI step with az account show, tried to do the same in the powershell task afterwards... did not work

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.