[英]Az Powershell Connect-AzAccount fails in docker container, but works on host
问题
我有一台 Windows 10 机器和 Powershell 7。我写了以下逻辑来使用服务原则登录 azure:
$Secure2 = ConvertTo-SecureString -String $AZ_DEPLOYMENT_CLIENT_ENCRYPTED_SECRET
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AZ_DEPLOYMENT_CLIENT_ID, $Secure2
#Connect
Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $AZ_TENANT_ID
它在主机上运行良好。 但是,当我尝试在 docker 图像 (do.net sdk 6.0) 中运行相同的逻辑时,命令失败并显示错误:
PS /builds> Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{guid}'.
Trace ID: asdfasdf
Correlation ID: asdfasdf
Timestamp: 2022-04-19 15:07:22Z
Az Powershell 版本
在主机上,我正在运行:
PS C:\Users\me> Get-InstalledModule -Name Az
Version Name Repository Description
------- ---- ---------- -----------
7.1.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Window…
容器内部:
PS /builds> Get-InstalledModule -Name Az
Version Name Repository Description
------- ---- ---------- -----------
7.4.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Windows PowerShell.…
Dockerfile
FROM mcr.microsoft.com/dotnet/sdk:6.0
RUN apt update
RUN apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
然后我手动运行这个命令来安装 az 模块:
pwsh -c "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force"
pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease PSGallery -Force"
编辑 1
在我的 Dockerfile 中,现在我正在使用多个阶段,所以我不必在 do.net SDK 图像中安装 Azure Powershell 工具集。 现在我的 dockerfile 看起来像这样:
FROM --platform=amd64 mcr.microsoft.com/dotnet/sdk:6.0.202-bullseye-slim-amd64 AS deployFunctionApp
RUN apt update && apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
WORKDIR ./builds/tests
RUN dotnet test --test-adapter-path:. --logger:"junit;LogFilePath=..\TestResults\test-results.xml;MethodFormat=Class;FailureBodyFormat=Verbose"
WORKDIR ../
RUN cat ./externalVariables.json
RUN pwsh -c "./deploy-function-app.ps1"
FROM --platform=amd64 mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 AS deployAppRegistration
COPY . /builds
WORKDIR ./builds
RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
RUN pwsh -c "./ad-app-reg.ps1"
所以现在我可以像这样分阶段构建:
PS /Users/me> docker build --target deployAppRegistration -t mytest .
[+] Building 17.5s (7/9)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.35kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 0.2s
=> [internal] load build context 0.0s
=> => transferring context: 23.03kB 0.0s
=> CACHED [deployappregistration 1/5] FROM mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04@sha256:4d2a4c73e91c27be3ac3de40a1dd8cf36dde17d43da8837a1967fab6ac376950 0.0s
=> [deployappregistration 2/5] COPY . /builds 0.2s
=> [deployappregistration 3/5] WORKDIR ./builds 0.0s
=> [deployappregistration 4/5] RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
=> [deployappregistration 5/5] RUN pwsh -c "./ad-app-reg.ps1" 16.1s
但它仍然无法连接到 azure。 我基于此图像启动了一个新容器,并且可以重现我在 docker 构建命令中看到的错误:
root@7a0f9c69306d:/builds# ls
arm_templates deploy-function-app.ps1 externalVariables.json src
Dockerfile postman_tests tests
ad-app-reg.ps1 docs README.md
root@7a0f9c69306d:/builds# pwsh
PowerShell 7.2.2
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS /builds> ./ad-app-reg.ps1
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: /builds/ad-app-reg.ps1:30
Line |
30 | Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_I …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application
| registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret
| value, not the client secret ID, for a secret added to app '[ad app reg guid]'. Trace ID: asdfasdf Correlation ID: asdf Timestamp:
| 2022-04-25 12:42:08Z
Set-AzContext: /builds/ad-app-reg.ps1:32
Line |
32 | Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $c …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Run Connect-AzAccount to login.
我不得不在容器中重新创建加密的秘密,然后它开始工作。 仍然不清楚为什么它不喜欢我在主机上创建并保存到文件中的加密秘密。 它是使用相同的秘密和安全原则创建的。 但我猜错误消息是合法的——它真的不喜欢这个凭证!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.