[英]Use Azure CLI within Azure Powershell Task
I want to create a Powershell script which executes some AzureRm...
commands and follows those up with some Az
commands.我想创建一个 Powershell 脚本,它执行一些
AzureRm...
命令,然后用一些Az
命令跟进这些命令。 Reason being that some commands are only available via Az
.原因是某些命令只能通过
Az
使用。
When trying to execute these scripts in a release pipeline, the script always fails with the following error:尝试在发布管道中执行这些脚本时,脚本总是失败并出现以下错误:
ERROR: Please run 'az login' to setup account.
Executing the Az
commands in a Azure CLI
task work as expected, because Az Login
is executed by the task.在
Azure CLI
任务中执行Az
命令按预期工作,因为Az Login
由该任务执行。
I don't want to pass the secret required to login to the script if at all possible.如果可能的话,我不想传递登录脚本所需的秘密。 I would rather fall back to separating the scripts into two steps in the pipeline.
我宁愿退回到将脚本分成管道中的两个步骤。
Is it possible to use the Az
commands within a Azure Powershell
task without passing the secrets manually?是否可以在
Azure Powershell
任务中使用Az
命令而无需手动传递机密?
Azure PowerShell
Azure PowerShell
az account show
az account show
The short term solution I already had in place was passing the ServicePrincipal information into the powershell script and executing az login
manually (same as Bevan's answer below).我已有的短期解决方案是将 ServicePrincipal 信息传递到 powershell 脚本中并手动执行
az login
(与下面 Bevan 的回答相同)。
My long term solution was to replace all Azure CLI calls with "Az Powershell" commands.我的长期解决方案是用“Az Powershell”命令替换所有 Azure CLI 调用。 Luckily, most commands are available by now.
幸运的是,大多数命令现在都可用。
A couple of commands don't have an equivalent commandlet.一些命令没有等效的命令行开关。 But if they are available via ARM, you can figure out an alternative command with Powershell.
但是,如果它们可通过 ARM 获得,您可以使用 Powershell 找出替代命令。
Many of them involve using New-AzResource/New-AzureRmResource
or Invoke-AzResourceAction/Invoke-AzureRmResourceAction
其中许多涉及使用
New-AzResource/New-AzureRmResource
或Invoke-AzResourceAction/Invoke-AzureRmResourceAction
# AzureCLI
az cosmosdb list-keys
# Powershell:
$keys = Invoke-AzResourceAction -Action listKeys `
-ResourceType "Microsoft.DocumentDb/databaseAccounts" -ApiVersion "2015-04-08" `
-ResourceGroupName $resourceGroupName -Name $accountName
When I have mixed commands I put this into my Azure Powershell task当我有混合命令时,我将其放入 Azure Powershell 任务中
az login --service-principal --username "$(ServicePrincipal)" --password "$(AzureDevOps-ServicePrincipal-Secret)" --tenant "$(Azure_Tenant)"
I have my SP and Tenant IDs as a variables and the Secret for the SP stored in Azure KeyVault linked to a Library Variable group.我将我的 SP 和租户 ID 作为变量,并将 SP 的 Secret 存储在链接到库变量组的 Azure KeyVault 中。 You can alternatively just stored the secret in a normal Variable/Variable Group and hit the padlock icon to secure it.
您也可以将秘密存储在普通的变量/变量组中,然后点击挂锁图标来保护它。
You may need to run az account set -s $(SubscriptionName)
if the SP has access to multiple subscriptions in the same tenant.如果 SP 有权访问同一租户中的多个订阅,则可能需要运行
az account set -s $(SubscriptionName)
。
I figured out this approach - store credentials in job scoped variables (currently only an Azure CLI
task allows that) and then re-use in Azure PowerShell
task:我想出了这种方法——将凭据存储在作业范围的变量中(目前只有
Azure CLI
任务允许这样做),然后在Azure PowerShell
任务中重复使用:
- task: AzureCLI@2
displayName: 'Azure CLI - get credentials'
inputs:
azureSubscription: 'SUBSCRIPTIONNAME'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
addSpnToEnvironment: true
inlineScript: |
Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$($env:servicePrincipalId)"
Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$($env:servicePrincipalKey)"
Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$($env:tenantId)"
- task: AzurePowerShell@5
displayName: 'collector'
inputs:
azurePowerShellVersion: LatestVersion
azureSubscription: 'SUBSCRIPTIONNAME'
pwsh: true
scriptType: inlineScript
inline: |
az login --service-principal --username "$($env:ARM_CLIENT_ID)" --password "$($env:ARM_CLIENT_SECRET)" --tenant "$($env:ARM_TENANT_ID)"
./mixedscript.ps1
Anyway, it wont work like that, because you have to authenticate to az utility separately.无论如何,它不会像那样工作,因为您必须单独对 az 实用程序进行身份验证。 az cli and powershell do not share connection information.
az cli 和 powershell 不共享连接信息。 you can try and use az step with some command before powershell step.
您可以在 powershell 步骤之前尝试使用 az step 和一些命令。 that would force az to auth and after that you can use it inside powershell ste.
这将强制 az 进行身份验证,然后您可以在 powershell ste 中使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.