如何使用PowerShell将服务主体分配给托管的VSTS发布管道中的AAD组?
[英]How might I assign a service principal to an AAD group in my hosted VSTS release pipeline using PowerShell?
问题描述
I have a VSTS release pipeline which provisions a new function app with a Managed Service Identity . 
我有一个VSTS发布管道,该管道提供了具有托管服务标识的新功能应用程序 。 My solution includes a shared key vault instance for my app secrets. 我的解决方案包括一个用于我的应用程序机密的共享密钥库实例。 Key vault allows a maximum of 16 access control entries so I've taken the approach of creating an Azure AD group for applications which I will add application service principals to. 密钥保管库最多允许16个访问控制项,因此我采用了为应用程序创建Azure AD组的方法,我将向其中添加应用程序服务主体。 All straight forward and workable in PowerShell locally, but I'm not able to figure out a way to do this using hosted build servers in the VSTS release pipeline and a Run Powershell In Azure release task. 所有这些都可以直接在PowerShell中本地运行,并且可以在PowerShell中使用,但是我无法找出一种方法来使用VSTS发布管道中的托管生成服务器以及在Azure中运行Powershell发布任务。
The Azure CLI is at version 1.X on the Hosted build server and 2.x on the Hosted 2017 build server * 1.x doesn't appear to offer AD group manipulation or graph API access * 2.x does offer az ad group member add but the hosted 2017 build has a problem with New-AzureStorageTable which is used elsewhere in my pipeline, so I can't use it Azure CLI在托管构建服务器上为1.X版本,在托管2017构建服务器上为2.x版本* 1.x似乎不提供AD组操作或图形API访问权限* 2.x确实提供了az ad group member add但托管的2017年版本的New-AzureStorageTable有问题,该问题已在我的管道中的其他地方使用,因此我无法使用它
Similarly, the Azure RM powershell module on the Hosted build server is very old and doesn't appear to support group membership manipulation . 同样,托管生成服务器上的Azure RM Powershell模块非常旧,并且似乎不支持组成员身份操作 。 The version on the Hosted 2017 server (which I can't use) has commands like Get-AzureRmADGroup but nothing to add a user to that group. Hosted 2017服务器上的版本(我不能使用)具有诸如Get-AzureRmADGroup类的命令,但是没有向该组添加用户的命令。
The cmdlet Add-AzureADGroupMember, available in the AAD powershell would be a nice solution, but it's not available on either the Hosted or Hosted 2017 build servers. AAD Powershell中可用的cmdlet Add-AzureADGroupMember将是一个不错的解决方案,但在Hosted或Hosted 2017构建服务器上均不可用。
I've considered both automation runbooks and direct HTTPS posts to the graph API using the OAuth token available in the release pipeline, but want to stay with PowerShell to keep the number of technologies in my release pipeline as small as possible. 我已经考虑了自动化运行手册以及使用发布管道中可用的OAuth令牌将HTTPS帖子直接定向到图形API的方法,但是我想一直使用PowerShell以使发布管道中的技术数量尽可能地少。 I'd also prefer to avoid storing credentials in a secured manner for use in a PowerShell command like Login-AzureRmAccount and rely on the identity of the Service Endpoint I defined for my release pipeline. 我还希望避免以安全的方式存储凭据,以便在PowerShell命令(如Login-AzureRmAccount并依赖于为发布管道定义的服务端点的身份。
Suggestions appreciated. 建议表示赞赏。
1 个解决方案
解决方案1
0 2017-12-27 02:03:38
Since the Hosted agent can't meet your requirements, you can configure a private build agent (it's free) on your machine: Deploy an agent on Windows . 由于托管代理无法满足您的要求,因此您可以在计算机上配置私有构建代理(免费): 在Windows上部署代理 。
Regarding Add-AzureADGroupMember cmdlet, you can install it by calling Install-Module -Name AzureAD through Azure PowerShell task, which works fine on Hosted agent. 关于Add-AzureADGroupMember cmdlet,可以通过通过Azure PowerShell任务调用Install-Module -Name AzureAD来安装它,该任务在托管代理上正常运行。
Script: 脚本:
Install-PackageProvider -Name NuGet -Force -Scope CurrentUser
Install-Module -Name AzureAD -Force -Verbose -Scope CurrentUser
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.