1

Requirements

My requirement is that for my Azure devops release pipeline I want to tag a specific commit with an annotated tag which contains the build number and the date (which is auto-set on an annotated tag).

Proposed solution

My solution to this is to use a the Azure Powershell pipeline task, the one shown here: enter image description here

The task (ignore what's in the script box right now) will use the Azure Subscription that I have set in order to authenticate towards the Azure DevOps REST API. I have successfully been able to perform the task I want using a personal access token (PAT) but this is not stable long-term for a whole team and I want to use our Azure Subscription.

The problem

My problem is that I'm not sure how to use the authentication of the Azure Subscription correctly. I seem to get some data using Get-AzureRmContext (see current code below) and then I found a GitHub issue which seems to do sort of the same thing. The code gets some kind of OAuth token but using the code below, Azure still returns to me that I need to sign in, so I assume it's not the correct token. I don't understand how things hatch into each other.

Note that my subscription should have all the permissions it needs to do what I want.

Code so far:

Function Get-AccessToken($tenantId) {
    $cache = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared
    $cacheItem = $cache.ReadItems() | Where-Object { $_.TenantId -eq $tenantId } | Select-Object -First 1
    return $cacheItem.AccessToken
}

$context = Get-AzureRmContext
$uri = "https://dev.azure.com/<my_org>/<my_area>/_apis/git/repositories/<project_sha>/annotatedtags?api-version=5.0-preview.1"
$token = Get-AccessToken $context.tenantID

$body = @"
{
    "taggedObject": {
        "objectId": "$(BUILD.SOURCEVERSION)"
    },
    "name": "D-$(Build.BuildNumber)",
    "message": "dummy"
}
"@
$header = @{"Authorization" = "Bearer" + $token}

Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/json" -Body $body -Headers $header

Any help is greatly appreciated!

Improve this question
5
  • i was under the impression you dont need to auth to ADO from inside the job? Commented Feb 15, 2019 at 14:23
  • @4c74356b41 You don't? If I don't specify any authorization header then I get a sign-in html page in response Commented Feb 15, 2019 at 14:24
  • stackoverflow.com/questions/41004090/… Commented Feb 15, 2019 at 14:28
  • Wow, thanks man. That was way simpler than what I tried... Commented Feb 15, 2019 at 14:39
  • Possible duplicate of VSTS - allow Scripts to Access OAuth Token in Release Management Commented Feb 15, 2019 at 14:41

1 Answer 1

Reset to default
3

There is the example for the build tasks: Use a PowerShell script to customize your build pipeline

  1. You have to enable access to token (option Allow Scripts to Access OAuth Token)

enter image description here

  1. Then use it in your script. Script from the example:

    $url = "$($env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)$env:SYSTEM_TEAMPROJECTID/_apis/build/definitions/$($env:SYSTEM_DEFINITIONID)?api-version=5.0"

    Write-Host "URL: $url" $pipeline = Invoke-RestMethod -Uri $url -Headers @{ Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }

    Write-Host "Pipeline = $($pipeline | ConvertTo-Json -Depth 100)"

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.