I'm using Service Principal for Azure DevOps Release Pipeline and Azure VM as an agent pool.
But I'm getting an error like this ERROR: Please run 'az login' to set up an account.
My Pipeline looks like this :
variables:
secretConfluentApiKey: 'ConfluentAPIKey'
secretConfluentApiSecret: 'ConfluentAPISecret'
steps:
- task: AzurePowerShell#5
displayName: 'Confluent: Kafka API Key Refresh'
inputs:
azureSubscription: 'Azure DevOps to Azure Resources'
ScriptType: InlineScript
Inline: |
$env:path = $env:path + ";C:\Program Files\Git\usr\bin" + ";C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin"
Invoke-WebRequest -UseBasicParsing -Uri "https://keyserviceurlgoes.here" -OutFile C:\api-key
Set-Location C:\
$data = openssl pkeyutl -decrypt -in api-key -inkey my.key
$SecretImport = $data | ConvertFrom-Json
$Planned = (get-date $SecretImport.metadata.created_at).ToString("yyyy-MM-dd'T'HH:MM:ss'Z'")
$ConfluentAPIKey = "$(secretConfluentApiKey)"
$ConfluentAPISecret = "$(secretConfluentApiSecret)"
$ValutName = "$(azureKeyVaultName)"
$CurrentKey = az keyvault secret show --name $ConfluentAPIKey --vault-name $ValutName --query "value"
if ($CurrentKey -eq $SecretImport.key) {
write-host 'Key is in Active State'
}
else {
az keyvault secret set --vault-name $ValutName --name $ConfluentAPIKey --value $SecretImport.key --expires $Planned
az keyvault secret set --vault-name $ValutName --name $ConfluentAPISecret --value $SecretImport.secret --expires $Planned
}
azurePowerShellVersion: LatestVersion
ERROR: Please run ‘az login’ to set up an account
This error occurs when you are not logged into your Azure account and authenticated with it. Run this CLI task before running your key vault script. I created one Service Principal service connection in my Azure DevOps project and used it for authentication.
I added one Service Principal connection with my Service principal client Id, Tenant Id and Client secret like below:-
Project Settings > Service connections > New Service connection > Azure Resource Manager > Service connection (manual) > enter your service connection details like below:-
Enter service connection name > Verify and Save > Use this Service principal in your Azure CLI task for the key vault.
I ran the azure cli key vault script without running the az login --service principal command with service principal connection like below:-
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'
- script: |
echo Add other tasks to build, test, and deploy your project.
echo See https://aka.ms/yaml
displayName: 'Run a multi-line script'
- task: AzureCLI#2
inputs:
azureSubscription: 'ServicePrincipal'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: 'az keyvault secret set --name MySecretNamesiddesai --vault-name keyvaultname --value secretvalue'
Service principal connection was authenticated and new key vault secret was set like below:-
Even if using Service principal service connection fails, You can additionally run az log in --service principal command for the service principal in the CLI inline script like below:-
- task: AzureCLI#2
inputs:
azureSubscription: 'ServicePrincipal'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az login --service-principal -u <clientorappid> -p <client-secret> --tenant <tenant-id>
az keyvault secret set --name MySecretNamesid --vault-name keyvaultname --value keyvaultsecret
Output:-
Related
In my Azure DevOps pipeline, I'm deploying a logic app on Azure but I get this warning:
##[warning]"ZipDeploy Validation WARNING: It is recommended to set app setting WEBSITE_RUN_FROM_PACKAGE = 1 unless you are targeting one of the following scenarios:
1. Using portal editing.
2. Running post deployment scripts.
3. Need write permission in wwwroot.
4. Using custom handler with special requirements.
NOTE: If you decide to update app setting WEBSITE_RUN_FROM_PACKAGE = 1, you will have to re-deploy your code."
Is it possible to suppress this warning?
Make sure to add the application settings to allow zip deploy like below:-
- task: AzureCLI#2
inputs:
# TODO: Fill in with the name of your Azure service connection
azureSubscription: ''
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az functionapp config appsettings set --name $(LAname) --resource-group $(resourceGroupName) --settings "BLOB_CONNECTION_RUNTIMEURL=$(blobendpointurl)"
az functionapp config appsettings set --name $(LAname) --resource-group $(resourceGroupName) --settings "WORKFLOWS_RESOURCE_GROUP_NAME=$(resourceGroupName)"
az functionapp config appsettings set --name $(LAname) --resource-group $(resourceGroupName) --settings WEBSITE_RUN_FROM_PACKAGE=1
addSpnToEnvironment: true
useGlobalConfig: true
Powershell task with app service plan
- task: AzurePowerShell#5
inputs:
azureSubscription: 'MyAzureSubscription'
ScriptType: 'InlineScript'
Inline: |
Set-AzWebApp -Name MyWebApp -ResourceGroupName MyResourceGroup -AppSettings #{'WEBSITE_RUN_FROM_PACKAGE'='1'}
azurePowerShellVersion: 'LatestVersion'
Make sure you change the deployment-method in your YAML pipeline to deploymentMethod: ‘runFromPackage’ instead of ‘zipDeploy’ like below:-
To :-
And then run your pipeline to allow zip deployment of Azure Logic app.
Reference:-
AzureFunctionApp#1 Gives a warning about something it removes itself · Issue #17580 · microsoft/azure-pipelines-tasks · GitHub
I am trying to login to my private ACR using azure DevOps pipeline.
I tried it this way:
- task: AzureCLI#2
inputs:
azureSubscription: $(azureSubscriptionForACR)
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
$password = az acr credential show -n $(azureAcrName) --query passwords[0].value
helm registry login $(azureContainerRegistry) --username $(azureAcrUserName) --password $password
which works, but there is a warning when I run the pipeline:
"WARNING: Using --password via the CLI is insecure. Use --password-stdin."
I would like to avoid the warning, so I tried many variant of this, but no success:
- task: AzureCLI#2
inputs:
azureSubscription: $(azureSubscriptionForACR)
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
$password = az acr credential show -n $(azureAcrName) --query passwords[0].value
echo $password | helm registry login $(azureContainerRegistry) --username $(azureAcrName) --password-stdin
It always end up with:
Error: Get "https://azureacr.azurecr.io/v2/": unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I am using new helm 3.8.0
Is there a way to do it with --password-stdin?
You can store the $password value as an Environment Variable in Azure Devops , the same way you are doing for the ACR username and other values and then use echo command .
Example:
First get the password for the ACR using the below command and then store it in Environment Variable registryPassword .
az acr credential show -n $(azureAcrName) --query passwords[0].value
Then use the below to login:
- task: AzureCLI#2
inputs:
azureSubscription: $(azureSubscriptionForACR)
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
echo $(registryPassword) | helm registry login $(azureContainerRegistry) --username $(azureAcrName) --password-stdin
For more information you can refer this Blog by Abhith Rajan or
this SO thread.
I am trying to get connection string using Powershell and pass this argument to another step in the actions, but I am getting this error:
Input required and not supplied: connection-string
But I am following a similar behaviour that I use before but I am not sure why it is not working, Here is part of my script:
- name: Secrets to Key Vault
uses: azure/powershell#v1
env:
POWERSHELL_TELEMETRY_OPTOUT: 1
with:
inlineScript: |
$sqlConnectionString = (az keyvault secret show --vault-name <keyVaultName> --name <secret-name> --query [value] --output tsv)
echo ::set-output name=sqlConnectionString::$( $sqlConnectionString)
azPSVersion : '3.1.0'
- name: Deploy Core Module
uses: azure/sql-action#v1
id: sqlConnection
with:
server-name: <sqlServerName>
connection-string: ${{ steps.sqlConnection.outputs.sqlConnectionString}}
dacpac-package: './Database.dacpac'
I think problem is related to the output of the variable but I use similar syntax previously just in a simple run and it worked. Could it be related to the behaviour of the Powershell?
Plese add id to you first action:
- name: Secrets to Key Vault
uses: azure/powershell#v1
id: setSqlConnection
env:
POWERSHELL_TELEMETRY_OPTOUT: 1
with:
inlineScript: |
$sqlConnectionString = (az keyvault secret show --vault-name <keyVaultName> --name <secret-name> --query [value] --output tsv)
echo ::set-output name=sqlConnectionString::$( $sqlConnectionString)
azPSVersion : '3.1.0'
- name: Deploy Core Module
uses: azure/sql-action#v1
id: sqlConnection
with:
server-name: <sqlServerName>
connection-string: ${{ steps.setSqlConnection.outputs.sqlConnectionString}}
dacpac-package: './Database.dacpac'
and then use it to access output ${{ steps.setSqlConnection.outputs.sqlConnectionString}}
I am using AKS.I am trying to fetch the IP of the service post my deployment through devops so that I can pass on the IP to the API Management for further configuration. right now my task looks like this
- task: Kubernetes#1
inputs:
connectionType: 'Kubernetes Service Connection'
kubernetesServiceEndpoint: 'string-Conn'
namespace: '<appservices>'
command: 'get'
arguments: 'get services --namespace appservices authsvc --output jsonpath=''{.status.loadBalancer.ingress[0].ip}'''
secretType: 'dockerRegistry'
containerRegistryType: 'Azure Container Registry'
name: 'GetSvc'
when I run the command locally I am getting the IP of the loadbalancer. but how can I pass the output from this task to the next task? previously, when I use azure cli scripts, I can pass the vso set variable as part of the script itself like the one below but not sure how will I add the output of this task to a variable.
inlineScript: |
$something = (az storage container generate-sas --account-name <container> --name armtemplate --permissions r --expiry $(date -u -d "30 minutes" +%Y-%m-%dT%H:%MZ))
Write-Host($something) Write-Output("##vso[task.setvariable variable=SasToken;]$something")
I have followed the approach suggested by Amit Baranes since I am not clear on the script execution assignment without variable name. I have used the Azure cli task and ran it. It was successful
- task: AzureCLI#2
inputs:
azureSubscription: '<Service-Conn>'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
az aks get-credentials -n $(clusterName) -g $(clusterRG)
$externalIp = (kubectl get -n $(ns) services $(svc) --output jsonpath='{.status.loadBalancer.ingress[0].ip}' )
Write-Host($externalIp) Write-Output("##vso[task.setvariable variable=AKSURL;]$externalIp")
We could use the logging command ##vso[task.setvariable variable=SasToken;]$something" to set variables in scripts.
But according to your description, we recommend that you use the output variable to pass the variable IP. For example, assume we have a task called MyTask, which sets an output variable called MyVar. We could use outputs in the same job.
steps:
- task: MyTask#1 # this step generates the output variable
name: ProduceVar # because we're going to depend on it, we need to name the step
- script: echo $(ProduceVar.MyVar) # this step uses the output variable
I want to execute AZ cli commands from my Azure DevOps Pipeline. In my YAML file I have this:
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
variables:
buildConfiguration: 'Release'
steps:
- task: UsePythonVersion#0
inputs:
versionSpec: '3.x'
architecture: 'x64'
# Updating pip to latest
- script: python -m pip install --upgrade pip
displayName: 'Upgrade pip'
# Updating to latest Azure CLI version.
- script: pip install --pre azure-cli --extra-index-url https://azurecliprod.blob.core.windows.net/edge
displayName: 'upgrade azure cli'
- script: az --version
displayName: 'Show Azure CLI version'
- script: az extension add -n azure-devops
displayName: 'Install Azure DevOps Extension'
- script: echo ${AZURE_DEVOPS_CLI_PAT} | az devops login
env:
AZURE_DEVOPS_CLI_PAT: $(System.AccessToken)
displayName: 'Login Azure DevOps Extension'
- script: az aks show --name census-k8s --resource-group Census
displayName: 'Show AKS'
The echo ${AZURE_DEVOPS_CLI_PAT} | az devops login step is completed (with success apparently) with a warning message
Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.
The az aks show step fails:
Please run 'az login' to setup account.
I am a little bit lost. The az devops login command should enable me to use the az cli, right? If not, Am I supposed to use az login instead of az devops login? And if I am supposed to use az login, how can I pass my credentials in a secure way?
No, you don't need az devops login. What you need is Azure CLI Task:
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az account show
but then you don't have to do any login. Please call there your az aks show --name census-k8s --resource-group Census
Just to Add to Krzysztof's answer (and jeromerg question in the comment): in Azure CLI step you can also use other tools then az, which require being logged in with AzureCLI:
- task: AzureCLI#2
displayName: Publish Function
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
func azure publish <function-name>
If your scriptLocation is a scriptPath use the following example
- task: AzureCLI#2
displayName: 'update function appsettings'
inputs:
azureSubscription: 'MY-AzureSubscriptionName'
scriptType: ps
scriptLocation: 'scriptPath'
scriptPath: '$(System.DefaultWorkingDirectory)/Scripts/updateSettings.ps1'
arguments:
-ResourceGroupName 'MY-ResourceGroupName' `
-FunctionAppName 'MY-FunctionAppName'
updateSettings.ps1
param (
[string]$ResourceGroupName,
[string]$FunctionAppName)
)
.
. script body here
.
To use Azure CLI from a script (powershell or batch) you must assign $(System.AccessToken) to an environment variable named AZURE_DEVOPS_EXT_PAT.
- pwsh: |
az pipelines build list
displayName: 'Show build list'
env:
AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
Source: https://learn.microsoft.com/en-us/azure/devops/cli/azure-devops-cli-in-yaml?view=azure-devops