在 Azure Powershell 任务中使用 Azure CLI

Question

I want to create a Powershell script which executes some AzureRm... commands and follows those up with some Az commands. Reason being that some commands are only available via Az .

When trying to execute these scripts in a release pipeline, the script always fails with the following error:

ERROR: Please run 'az login' to setup account.

Executing the Az commands in a Azure CLI task work as expected, because Az Login is executed by the task.

I don't want to pass the secret required to login to the script if at all possible. I would rather fall back to separating the scripts into two steps in the pipeline.

Is it possible to use the Az commands within a Azure Powershell task without passing the secrets manually?

Minimal example:

• Create a new release pipeline
• Add a task Azure PowerShell
• Use inline script
• As script, execute az account show

Answer 1

The short term solution I already had in place was passing the ServicePrincipal information into the powershell script and executing az login manually (same as Bevan's answer below).

My long term solution was to replace all Azure CLI calls with "Az Powershell" commands. Luckily, most commands are available by now.

A couple of commands don't have an equivalent commandlet. But if they are available via ARM, you can figure out an alternative command with Powershell.

Many of them involve using New-AzResource/New-AzureRmResource or Invoke-AzResourceAction/Invoke-AzureRmResourceAction

• How to create a Linux AppService Plan with New-AzAppServicePlan?
• Manage Azure Cosmos DB SQL API resources using PowerShell

# AzureCLI
az cosmosdb list-keys
# Powershell:
$keys = Invoke-AzResourceAction -Action listKeys `
    -ResourceType "Microsoft.DocumentDb/databaseAccounts" -ApiVersion "2015-04-08" `
    -ResourceGroupName $resourceGroupName -Name $accountName

Answer 2

When I have mixed commands I put this into my Azure Powershell task

az login --service-principal --username "$(ServicePrincipal)" --password "$(AzureDevOps-ServicePrincipal-Secret)" --tenant "$(Azure_Tenant)"

I have my SP and Tenant IDs as a variables and the Secret for the SP stored in Azure KeyVault linked to a Library Variable group. You can alternatively just stored the secret in a normal Variable/Variable Group and hit the padlock icon to secure it.

You may need to run az account set -s $(SubscriptionName) if the SP has access to multiple subscriptions in the same tenant.

Answer 3

I figured out this approach - store credentials in job scoped variables (currently only an Azure CLI task allows that) and then re-use in Azure PowerShell task:

  - task: AzureCLI@2
    displayName: 'Azure CLI - get credentials'
    inputs:
      azureSubscription: 'SUBSCRIPTIONNAME'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      addSpnToEnvironment: true
      inlineScript: |
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$($env:servicePrincipalId)"
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$($env:servicePrincipalKey)"
        Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$($env:tenantId)"      

  - task: AzurePowerShell@5
    displayName: 'collector'
    inputs:
      azurePowerShellVersion: LatestVersion
      azureSubscription: 'SUBSCRIPTIONNAME'
      pwsh: true
      scriptType: inlineScript
      inline: |
        az login --service-principal --username "$($env:ARM_CLIENT_ID)" --password "$($env:ARM_CLIENT_SECRET)" --tenant "$($env:ARM_TENANT_ID)"
        ./mixedscript.ps1

Answer 4

Anyway, it wont work like that, because you have to authenticate to az utility separately. az cli and powershell do not share connection information. you can try and use az step with some command before powershell step. that would force az to auth and after that you can use it inside powershell ste.