stackoom
  简体   繁体   中英

How might I assign a service principal to an AAD group in my hosted VSTS release pipeline using PowerShell?

 原文  2017-12-27 00:18:56       powershell/ azure/ azure-active-directory/ azure-pipelines-release-pipeline/ azure-managed-identity

Question

I have a VSTS release pipeline which provisions a new function app with a Managed Service Identity . My solution includes a shared key vault instance for my app secrets. Key vault allows a maximum of 16 access control entries so I've taken the approach of creating an Azure AD group for applications which I will add application service principals to. All straight forward and workable in PowerShell locally, but I'm not able to figure out a way to do this using hosted build servers in the VSTS release pipeline and a Run Powershell In Azure release task.

The Azure CLI is at version 1.X on the Hosted build server and 2.x on the Hosted 2017 build server * 1.x doesn't appear to offer AD group manipulation or graph API access * 2.x does offer az ad group member add but the hosted 2017 build has a problem with New-AzureStorageTable which is used elsewhere in my pipeline, so I can't use it

Similarly, the Azure RM powershell module on the Hosted build server is very old and doesn't appear to support group membership manipulation . The version on the Hosted 2017 server (which I can't use) has commands like Get-AzureRmADGroup but nothing to add a user to that group.

The cmdlet Add-AzureADGroupMember, available in the AAD powershell would be a nice solution, but it's not available on either the Hosted or Hosted 2017 build servers.

I've considered both automation runbooks and direct HTTPS posts to the graph API using the OAuth token available in the release pipeline, but want to stay with PowerShell to keep the number of technologies in my release pipeline as small as possible. I'd also prefer to avoid storing credentials in a secured manner for use in a PowerShell command like Login-AzureRmAccount and rely on the identity of the Service Endpoint I defined for my release pipeline.

Suggestions appreciated.

1 answers

solution1
 0  2017-12-27 02:03:38

Since the Hosted agent can't meet your requirements, you can configure a private build agent (it's free) on your machine: Deploy an agent on Windows .

Regarding Add-AzureADGroupMember cmdlet, you can install it by calling Install-Module -Name AzureAD through Azure PowerShell task, which works fine on Hosted agent.

Script: 

Install-PackageProvider -Name NuGet -Force -Scope CurrentUser
Install-Module -Name AzureAD -Force -Verbose -Scope CurrentUser

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Powershell Split function not working in VSTS Release pipeline Using Microsoft Graph SDK for Powershell to Assign Role to App Service Principal? Use Service Principal in Azure CLI in VSTS Release Definition How to update VSTS release job agent pool using powershell How can I invoke a method on a service that is hosted in Azure using Powershell? Runspaces and Jobs in VSTS hosted agent release Azure Powershell script How to modify the application manifest in VSTS release pipeline? How to assign AAD Group to an Enterprise App? How do I connect to Azure through PowerShell Modules, using the Service principal of a Registered App? How to get thumbprint of the certificate associated with a service principal using Powershell?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM