Az Powershell Connect-AzAccount 在 docker 容器中失敗，但在主機上有效

Question

問題

我有一台 Windows 10 機器和 Powershell 7。我寫了以下邏輯來使用服務原則登錄 azure：

$Secure2 = ConvertTo-SecureString -String $AZ_DEPLOYMENT_CLIENT_ENCRYPTED_SECRET
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AZ_DEPLOYMENT_CLIENT_ID, $Secure2
#Connect
Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $AZ_TENANT_ID

它在主機上運行良好。 但是，當我嘗試在 docker 圖像 (do.net sdk 6.0) 中運行相同的邏輯時，命令失敗並顯示錯誤：

PS /builds> Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{guid}'.
Trace ID: asdfasdf
Correlation ID: asdfasdf
Timestamp: 2022-04-19 15:07:22Z

Az Powershell 版本

在主機上，我正在運行：

PS C:\Users\me> Get-InstalledModule -Name Az


Version              Name                                Repository           Description
-------              ----                                ----------           -----------
7.1.0                Az                                  PSGallery            Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Window… 

容器內部：

PS /builds>  Get-InstalledModule -Name Az

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
7.4.0                Az                                  PSGallery            Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Windows PowerShell.…

Dockerfile

FROM mcr.microsoft.com/dotnet/sdk:6.0 
RUN apt update
RUN apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true

然后我手動運行這個命令來安裝 az 模塊：

 pwsh -c "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force"
 pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease PSGallery -Force"

編輯 1

在我的 Dockerfile 中，現在我正在使用多個階段，所以我不必在 do.net SDK 圖像中安裝 Azure Powershell 工具集。 現在我的 dockerfile 看起來像這樣：

FROM --platform=amd64 mcr.microsoft.com/dotnet/sdk:6.0.202-bullseye-slim-amd64 AS deployFunctionApp
RUN apt update && apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
WORKDIR ./builds/tests
RUN dotnet test --test-adapter-path:. --logger:"junit;LogFilePath=..\TestResults\test-results.xml;MethodFormat=Class;FailureBodyFormat=Verbose"
WORKDIR ../
RUN cat ./externalVariables.json
RUN pwsh -c "./deploy-function-app.ps1"

FROM --platform=amd64 mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 AS deployAppRegistration
COPY . /builds
WORKDIR ./builds
RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
RUN pwsh -c "./ad-app-reg.ps1"

所以現在我可以像這樣分階段構建：

PS /Users/me> docker build --target deployAppRegistration -t mytest .

[+] Building 17.5s (7/9)                                                                                                                                                                                                                                                                             
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                                                            0.0s
 => => transferring dockerfile: 1.35kB                                                                                                                                                                                                                                                          0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                                               0.0s
 => => transferring context: 2B                                                                                                                                                                                                                                                                 0.0s
 => [internal] load metadata for mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04                                                                                                                                                                                                          0.2s
 => [internal] load build context                                                                                                                                                                                                                                                               0.0s
 => => transferring context: 23.03kB                                                                                                                                                                                                                                                            0.0s
 => CACHED [deployappregistration 1/5] FROM mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04@sha256:4d2a4c73e91c27be3ac3de40a1dd8cf36dde17d43da8837a1967fab6ac376950                                                                                                                       0.0s
 => [deployappregistration 2/5] COPY . /builds                                                                                                                                                                                                                                                  0.2s
 => [deployappregistration 3/5] WORKDIR ./builds                                                                                                                                                                                                                                                0.0s
 => [deployappregistration 4/5] RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"        
=> [deployappregistration 5/5] RUN pwsh -c "./ad-app-reg.ps1"                                                                                                                                                                                                                           16.1s
                                                                                                                                                                                                                  

但它仍然無法連接到 azure。 我基於此圖像啟動了一個新容器，並且可以重現我在 docker 構建命令中看到的錯誤：

root@7a0f9c69306d:/builds# ls
arm_templates            deploy-function-app.ps1  externalVariables.json  src
Dockerfile            postman_tests           tests
ad-app-reg.ps1     docs                  README.md

root@7a0f9c69306d:/builds# pwsh
PowerShell 7.2.2
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS /builds> ./ad-app-reg.ps1
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: /builds/ad-app-reg.ps1:30
Line |
  30 |  Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_I …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application
     | registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret
     | value, not the client secret ID, for a secret added to app '[ad app reg guid]'. Trace ID: asdfasdf Correlation ID: asdf Timestamp:
     | 2022-04-25 12:42:08Z

Set-AzContext: /builds/ad-app-reg.ps1:32
Line |
  32 |  Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $c …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Run Connect-AzAccount to login.

Answer 1

我不得不在容器中重新創建加密的秘密，然后它開始工作。 仍然不清楚為什么它不喜歡我在主機上創建並保存到文件中的加密秘密。 它是使用相同的秘密和安全原則創建的。 但我猜錯誤消息是合法的——它真的不喜歡這個憑證！