1

I have a PowerShell file which is use for getting the secret value from one of our Azure Key Vault for later use (login to Power BI with Service Principal). Here is the screenshot from DevOps,

enter image description here

And here is my PS code,

Write-Output "Get Secret from AKV"
$secret = az keyvault secret show --vault-name PA01 --name <my key vault secret name> --output json
$x = $secret | ConvertFrom-Json

$azureAplicationId = "<my client id>"
$azureTenantId= "<my tenant id>"

Write-Output "Generate Credential"
$azurePassword = ConvertTo-SecureString $x.value -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)

Write-Output "Login SP"
Connect-PowerBIServiceAccount -Tenant $azureTenantId -ServicePrincipal -Credential $psCred

I can run it successfully on Cloud shell, while it fails on my Azure DevOps pipeline. As you can see the screenshot below,

enter image description here

I think the job failed when running this command:

$secret = az keyvault secret show --vault-name PA01 --name <my key vault secret name> --output json

Because although the job has automatic running the Connect-AzAccount command, the login is invalid, and on my understand that is why it say "Error: Please run az login to setup account" (guess so), so the "az keyvault" command cannot be run.

Yes, I can add "az login --use-device-code" on my script and it run successful by enter code manually, but the problem is,

I don't want any interactive experience in the login process, because I hope this job is fully automatic and unattended.

So, any solution for this? Deeply grateful for you help!

Improve this question

2 Answers 2

Reset to default
1

Use PowerShell command instead of the az command to get the secret.

$secret = Get-AzKeyVaultSecret -VaultName 'MyKeyVaultName' -Name 'MySecretName'
$secretValue = $secret.SecretValueText

Make sure the service connection that is configured at azureSubscription: is added to the Access Policies section of the Key vault as the command is executed in that context.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Please check these:

PowerShell script works only with Windows agent, make sure the agent has PowerShell version 5 or lower.

Workaround

  • Try setup a Self hosted agent on your machine(connected to the internet).
  • Then you can run the task on a self hosted agent, and choose to run a powershell task. (This may require you you to whitelist some devops ranges on your firewall).

(Or)

As usually Azure Cli Task will authenticate using az login. As a work around try to use Az CLI task and azureSubscription with service connection name. This includes authentication against an azure subscription as part of its setup, so you will be able to run az cli commands.

- task: AzureCLI@2
  displayName: Azure CLI
  inputs:
    azureSubscription: <Name of the Azure Resource service connection>
    scriptType: ps
    .....

Here Also check if service connection used in the pipeline has sufficient permissions to run the script.For that ensure the service principle/ authentication credentials have the required permissions.

Try to downgrade /upgrade the version of azure-cli on the Hosted Agent Pool to near 2.0.64 or Use Hosted VS2017 agent to run az commands

See Azure PowerShell task - Azure Pipelines | Microsoft Docs

References:

  1. What service principle does Azure DevOps pipeline jobs run under? - Stack Overflow
  2. az login fails wih Azure DevOps Pipelines - Stack Overflow
  3. Use Azure CLI within Azure Powershell Task - Stack Overflow
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.