如何使用来自 Gitlab CI 运行器的 az cli 登录到 Azure？

Question

I have generated a zip file of a Node.JS-based web app in Gitlab, and I am trying to deploy it as an Azure "web app" using az webapp deploy . This works fine on my local machine where I am logged in, but I can't for the life of me figure out how I can log in to Azure from the Gitlab runner, so that I can run that same command. I've tried:

• Using the Publish Profile (already need to be logged in for that!)
• Creating a managed identity with roles on the app (but I don't have access to AD)
• Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
• Generating a JWT token to store in Gitlab as described in this question (I don't have access to the App Registrations functionality)

I don't want to use Azure to rebuild the application using the webhook system, I already have a known-working ZIP package that I want to deploy. My only hangup is logging in.

How can I log in to Azure -- ie what incantations do I have to provide to az login -- from a Gitlab CI runner, in order to deploy my website from a zipped Gitlab artifact to the App Service?

(note: I am a teacher and trying to figure this out for my students; it is possible that I am working with a somehow-limited Azure but my local IT doesn't support us for this and of course neither will Microsoft.)

Answer 1

If you cannot access the app registrations as discussed in a similar question and have no federation configured, your only options are to use a username and password (eg a user's username and password to authenticate to AAD), use a device code flow, or self-host your GitLab runner on Azure with a managed identity.

Using username and password

To use username is password is straightforward:

az login --tenant $YOUR_TENANT_ID -u $YOUR_USERNAME -p $YOUR_PASSWORD

However, this may not be possible if you normally do not login to Azure using a username and password (for example, you use OAuth or other federated login for the Azure portal and users have no passwords set). In which case, you will need to use the device code flow.

Using device code

To use device code flow, you will need to monitor the job output, copy the URL shown, and login from your browser every time your job runs. In your job, add the following:

az login --tenant $YOUR_TENANT_ID --use-device-code

In the job output you will see a message similar to the following:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code YOUR-CODE-WILL-APPEAR-HERE to authenticate

Copy the code from the message, open your browser to the device login page and enter the code to allow your job to proceed.

Note: It is possible for organizations to disable this login method, in which case you will see an error when trying to login this way.

Self-hosting GitLab runner on Azure with a managed identity

Lastly, if you're not able to use any of the above methods, you can deploy the GitLab runner to Azure itself as an application that uses a managed identity (for example on AKS, ACI, or on a VM with a managed identity).

For example, you can configure a shell runner on an Azure VM. Azure VMs with a managed identity will not require az login to perform az cli commands.

Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)

The reason you can't find any associated password is because managed identities can only be leveraged from Azure services -- for example, Azure VMs using a managed identity are able to use az cli without logging in.