[英]Az Powershell Connect-AzAccount fails in docker container, but works on host
Problem问题
I have a Windows 10 machine with Powershell 7. I wrote the following logic to sign into azure using a service principle:我有一台 Windows 10 机器和 Powershell 7。我写了以下逻辑来使用服务原则登录 azure:
$Secure2 = ConvertTo-SecureString -String $AZ_DEPLOYMENT_CLIENT_ENCRYPTED_SECRET
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AZ_DEPLOYMENT_CLIENT_ID, $Secure2
#Connect
Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $AZ_TENANT_ID
It works fine on the host machine.它在主机上运行良好。 However, when I try to run the same logic inside a docker image (do.net sdk 6.0), the command fails with the error:
但是,当我尝试在 docker 图像 (do.net sdk 6.0) 中运行相同的逻辑时,命令失败并显示错误:
PS /builds> Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{guid}'.
Trace ID: asdfasdf
Correlation ID: asdfasdf
Timestamp: 2022-04-19 15:07:22Z
Az Powershell Versions Az Powershell 版本
On the host, I'm running:在主机上,我正在运行:
PS C:\Users\me> Get-InstalledModule -Name Az
Version Name Repository Description
------- ---- ---------- -----------
7.1.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Window…
Inside the container:容器内部:
PS /builds> Get-InstalledModule -Name Az
Version Name Repository Description
------- ---- ---------- -----------
7.4.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Windows PowerShell.…
Dockerfile Dockerfile
FROM mcr.microsoft.com/dotnet/sdk:6.0
RUN apt update
RUN apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
Then I manually ran this command to install the az module:然后我手动运行这个命令来安装 az 模块:
pwsh -c "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force"
pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease PSGallery -Force"
EDIT 1编辑 1
In my Dockerfile, now I'm using multiple stages now so I don't have to install the Azure Powershell toolset inside the do.net SDK image.在我的 Dockerfile 中,现在我正在使用多个阶段,所以我不必在 do.net SDK 图像中安装 Azure Powershell 工具集。 Now my dockerfile looks like this:
现在我的 dockerfile 看起来像这样:
FROM --platform=amd64 mcr.microsoft.com/dotnet/sdk:6.0.202-bullseye-slim-amd64 AS deployFunctionApp
RUN apt update && apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
WORKDIR ./builds/tests
RUN dotnet test --test-adapter-path:. --logger:"junit;LogFilePath=..\TestResults\test-results.xml;MethodFormat=Class;FailureBodyFormat=Verbose"
WORKDIR ../
RUN cat ./externalVariables.json
RUN pwsh -c "./deploy-function-app.ps1"
FROM --platform=amd64 mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 AS deployAppRegistration
COPY . /builds
WORKDIR ./builds
RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
RUN pwsh -c "./ad-app-reg.ps1"
So now I can build in stages like this:所以现在我可以像这样分阶段构建:
PS /Users/me> docker build --target deployAppRegistration -t mytest .
[+] Building 17.5s (7/9)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.35kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 0.2s
=> [internal] load build context 0.0s
=> => transferring context: 23.03kB 0.0s
=> CACHED [deployappregistration 1/5] FROM mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04@sha256:4d2a4c73e91c27be3ac3de40a1dd8cf36dde17d43da8837a1967fab6ac376950 0.0s
=> [deployappregistration 2/5] COPY . /builds 0.2s
=> [deployappregistration 3/5] WORKDIR ./builds 0.0s
=> [deployappregistration 4/5] RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
=> [deployappregistration 5/5] RUN pwsh -c "./ad-app-reg.ps1" 16.1s
But it fails to connect to azure still.但它仍然无法连接到 azure。 I start a fresh container based on this image, and can recreate the error i see in the docker build command:
我基于此图像启动了一个新容器,并且可以重现我在 docker 构建命令中看到的错误:
root@7a0f9c69306d:/builds# ls
arm_templates deploy-function-app.ps1 externalVariables.json src
Dockerfile postman_tests tests
ad-app-reg.ps1 docs README.md
root@7a0f9c69306d:/builds# pwsh
PowerShell 7.2.2
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS /builds> ./ad-app-reg.ps1
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: /builds/ad-app-reg.ps1:30
Line |
30 | Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_I …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application
| registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret
| value, not the client secret ID, for a secret added to app '[ad app reg guid]'. Trace ID: asdfasdf Correlation ID: asdf Timestamp:
| 2022-04-25 12:42:08Z
Set-AzContext: /builds/ad-app-reg.ps1:32
Line |
32 | Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $c …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Run Connect-AzAccount to login.
I had to recreate the encrypted secret in the container and then it started to work.我不得不在容器中重新创建加密的秘密,然后它开始工作。 It's still not clear why it didn't like the encrypted secret that I created on the host and saved to a file.
仍然不清楚为什么它不喜欢我在主机上创建并保存到文件中的加密秘密。 It was created using the same secret and security principle.
它是使用相同的秘密和安全原则创建的。 But I guess the error message was legit - it really didn't like the credential!
但我猜错误消息是合法的——它真的不喜欢这个凭证!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.