1

I am trying to create a pipeline in which I'll run terraform configs against an Azure subscription from Azure DevOps pipelines. All works fine, but when I am trying to log in as user with az cli it fails with:

ERROR: Authentication failed due to error of 'Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.' This typically happens when attempting a Microsoft account, which requires interactive login. Please invoke 'az login' to cross check. More details are available at https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
ERROR: Please run 'az login' to setup account.

Although from cli on my local it works to do az log in -u user -p pass

Command was executed from a script, because after log in I'll move to terraform commands which requires those creds:

      - script: |
          az login -u $(u) -p $(p)
          terraform init
          terraform plan

I know it's not a best practice to use an user instead of a service principal, but for now I have to stick with this method. So is there a way to automate az login from Azure DevOps pipelines?

Improve this question
0

2 Answers 2

Reset to default
3 
az login -u $(secretUser) -p $(secretPassword)

Put the user ID and password into Azure Key Vault, named secretUser and secretPassword, and then use the AzureKeyVault@1 task to populate it

  - task: AzureKeyVault@1
    inputs:
      ConnectedServiceName: Your Service Connection Name
      KeyVaultName: Your Key Vault Name
      SecretsFilter: 'secretUser,secretPassword'
      RunAsPreJob: true 
  - script: |
      az login -u $(secretUser) -p $(secretPassword)
      terraform init
      terraform plan
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Another reason of not using SPs, is that I don't have their passwords and as far as I know those aren't stored somewhere. Also one more requirement is that an SP shouldn't let create other SPs, that is way I have to stick to users creds.
I've altered my answer to hopefully better suit your need.
Thanks for getting back with solutions. The thing is that this is actually my initial setup, I already had my keys in vaults and I was invoking script with az login, but it fails with the error described in the question ERROR: Please run 'az login' to setup account.
If I understand your comment correctly, you're saying that you can't get to the Key Vault because you can't log in? If so, the AzureKeyVault@1 task relies on a service connection, that's already authenticated by service principal - if you place this before the task that needs the variables, it should have access. In other words, the task is using a different way to connect that doesn't rely on az login.
In order to run terraform I need a user to authenticate with azcli directly into the pipeline. For that I invoke script task with: az login then terraform commands. Az login takes creds from the key vault. Now my problem is specifically on the point where azcli is logging in, it fails with the error from the original question.
|
3

The Azure CLI task can be used instead of the Script task

It works like the normal script tasks and you select what scripting language you want to run with the scriptTypeproperty:

Type of script: PowerShell/PowerShell Core/Bat/Shell script. Select bash/pscore script when running on Linux agent or batch/ps/pscore script when running on Windows agent. PowerShell Core script can run on cross-platform agents (Linux, macOS, or Windows)

It also takes a service connection reference in the azureSubscription input. The service connection should be of type Azure Resource Manager and can be created either automatically or by using an existing service principal.

The azure connection details are safely stored in the service connection and when your script starts executing Azure CLI has already been logged in using the service connection

Below is an example of how your pipeline task would look

- task: AzureCLI@2
  displayName: Azure CLI
  inputs:
    azureSubscription: <Name of the Azure Resource Manager service connection>
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      terraform init
      terraform plan
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.