无法在 Azure Devops 中使用 PowerShell 任务获取令牌
[英]Unable to acquire token using PowerShell task in Azure Devops
问题描述
I have developed a PowerShell script which runs as expected when running on my laptop directly.
我开发了一个 PowerShell 脚本,当直接在我的笔记本电脑上运行时,它会按预期运行。 However when running the script through Azure Devops it is failing to acquire the token and throws an error saying the client secret is incorrect.但是,当通过 Azure Devops 运行脚本时,它无法获取令牌并引发错误,提示客户端密码不正确。
The script is called as a PowerShell task from the pipeline, it runs on an ubuntu ADO agent.该脚本被称为管道中的 PowerShell 任务,它在 ubuntu ADO 代理上运行。
The script creates an AAD App Registration, sets some API permissions up, and then uses this registration to create some other elements in the AAD.该脚本创建一个 AAD 应用注册,设置一些 API 权限,然后使用此注册在 AAD 中创建一些其他元素。
Once the app registration is created, the script generates a Client Secret using创建应用注册后,脚本会使用
$clientSecret = (az ad app credential reset --id $appId --append | ConvertFrom-Json).password
I can do a Write-Host $clientSecret in the script and the job shows the correct secret that was generated.我可以在脚本中执行Write-Host $clientSecret并且该作业显示生成的正确密钥。
The section that fails is during the Invoke-WebRequest command used to get the token.失败的部分是在用于获取令牌的Invoke-WebRequest命令期间。
# connect to graph using the application registration
$url = "https://login.microsoftonline.com/$b2cTenantId/oauth2/token"
$resource = "https://graph.microsoft.com/"
$restbody = @{
grant_type = 'client_credentials'
client_id = $appID
client_secret = $clientSecret
resource = $resource
}
Write-Host "Rest Body = "
Write-Host ($restbody | out-string)
# Get the return Auth Token
$token = Invoke-WebRequest -Method POST -Uri $url -Body $restbody
The error thrown is抛出的错误是
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app
As I said, exactly the same script, using the same credentials runs locally fine.正如我所说,完全相同的脚本,使用相同的凭据在本地运行良好。 The script does an AZ Login and Connect-AZAccount first.该脚本首先执行 AZ Login 和Connect-AZAccount 。
1 个解决方案
解决方案1
0 2022-07-05 08:26:54
To protect the secrets (password, access token, etc..) and prevent them from being leaked, Azure Pipelines does not recommend direct plaintext of secrets in the scripts.为了保护机密(密码、访问令牌等)并防止它们被泄露,Azure Pipelines 不建议在脚本中直接使用明文机密。
You need to set the secrets as secret variables through the logging command " SetVariable ".您需要通过日志记录命令“ SetVariable ”将秘密设置为秘密变量。
- pwsh: |
Write-Host "##vso[task.setvariable variable=clientSecret;issecret=true]{Secret Value}"
name: 'Set Secret'
Then in the subsequently PowerShell tasks, you can map the secret variables as environment variables for use in the PowerShell scripts.然后在随后的 PowerShell 任务中,您可以将机密变量映射为环境变量以在 PowerShell 脚本中使用。
- powershell: |
Write-Host "This is a script that could use $CLIENT_SECRET"
Write-Host "$CLIENT_SECRET= $(clientSecret)"
env:
CLIENT_SECRET: $(clientSecret)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.