Develop Reference

Update Azure Key Vault Secret using Azure DevOps Pipeline

I'm using Service Principal for Azure DevOps Release Pipeline and Azure VM as an agent pool.
But I'm getting an error like this ERROR: Please run 'az login' to set up an account.
My Pipeline looks like this :
variables:
secretConfluentApiKey: 'ConfluentAPIKey'
secretConfluentApiSecret: 'ConfluentAPISecret'
steps:
- task: AzurePowerShell#5
displayName: 'Confluent: Kafka API Key Refresh'
inputs:
azureSubscription: 'Azure DevOps to Azure Resources'
ScriptType: InlineScript
Inline: |
$env:path = $env:path + ";C:\Program Files\Git\usr\bin" + ";C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin"
Invoke-WebRequest -UseBasicParsing -Uri "https://keyserviceurlgoes.here" -OutFile C:\api-key
Set-Location C:\
$data = openssl pkeyutl -decrypt -in api-key -inkey my.key
$SecretImport = $data | ConvertFrom-Json
$Planned = (get-date $SecretImport.metadata.created_at).ToString("yyyy-MM-dd'T'HH:MM:ss'Z'")
$ConfluentAPIKey = "$(secretConfluentApiKey)"
$ConfluentAPISecret = "$(secretConfluentApiSecret)"
$ValutName = "$(azureKeyVaultName)"
$CurrentKey = az keyvault secret show --name $ConfluentAPIKey --vault-name $ValutName --query "value"
if ($CurrentKey -eq $SecretImport.key) {
write-host 'Key is in Active State'
}
else {
az keyvault secret set --vault-name $ValutName --name $ConfluentAPIKey --value $SecretImport.key --expires $Planned
az keyvault secret set --vault-name $ValutName --name $ConfluentAPISecret --value $SecretImport.secret --expires $Planned
}
azurePowerShellVersion: LatestVersion

ERROR: Please run ‘az login’ to set up an account
This error occurs when you are not logged into your Azure account and authenticated with it. Run this CLI task before running your key vault script. I created one Service Principal service connection in my Azure DevOps project and used it for authentication.
I added one Service Principal connection with my Service principal client Id, Tenant Id and Client secret like below:-
Project Settings > Service connections > New Service connection > Azure Resource Manager > Service connection (manual) > enter your service connection details like below:-
Enter service connection name > Verify and Save > Use this Service principal in your Azure CLI task for the key vault.
I ran the azure cli key vault script without running the az login --service principal command with service principal connection like below:-
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'
- script: |
echo Add other tasks to build, test, and deploy your project.
echo See https://aka.ms/yaml
displayName: 'Run a multi-line script'
- task: AzureCLI#2
inputs:
azureSubscription: 'ServicePrincipal'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: 'az keyvault secret set --name MySecretNamesiddesai --vault-name keyvaultname --value secretvalue'
Service principal connection was authenticated and new key vault secret was set like below:-
Even if using Service principal service connection fails, You can additionally run az log in --service principal command for the service principal in the CLI inline script like below:-
- task: AzureCLI#2
inputs:
azureSubscription: 'ServicePrincipal'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az login --service-principal -u <clientorappid> -p <client-secret> --tenant <tenant-id>
az keyvault secret set --name MySecretNamesid --vault-name keyvaultname --value keyvaultsecret
Output:-

Failed to deploy Azure Function using Aure Container Registry

Our team has set up an ansible-playbook to deploy Azure Function using this reference. We use a user assigned identity to pull the function app image from an ACR like the following:
- name: Force Login using identity
command: az login --identity
- name: Get subscriptionId
command: az account show --query id --output tsv
register: subscriptionId
- name: Get functionapp identity's clientId
command: az identity show --resource-group "{{ functionapp_resource_group }}" --name "{{ functionapp_user_identity }}" --query clientId --output tsv
register: identityId
- name: Use functionapp identity for acr pull
command:
az resource update
--ids /subscriptions/{{ subscriptionId.stdout }}/resourceGroups/{{ functionapp_resource_group }}/providers/Microsoft.Web/sites/{{ functionapp_name }}/config/web
--set properties.acrUseManagedIdentityCreds=True
--set properties.AcrUserManagedIdentityID={{ identityId.stdout }}
- name: Config the functionapp
command:
az functionapp config appsettings set --name "{{ functionapp_name }}"
--resource-group "{{ functionapp_resource_group }}"
--settings
"Key1={{ Value1 }}"
"Key2={{ Value2 }}"
- name: Deploy the functionapp
command:
az functionapp config container set --name "{{ functionapp_name }}"
--resource-group "{{ functionapp_resource_group }}"
--docker-custom-image-name "{{ docker_registry_host }}/{{ image_name }}:{{ image_tag }}"
--docker-registry-server-url "{{ docker_registry_host }}"
Usually, the script works fine. The successful deployment log should be like the following:
However, we encountered a strange failure today. When deploying the image, the Azure Portal shows an incomplete log:
Does anyone know why this failure occurred?

I finally figured out that it may imply there's no further docker log today.

az tag update ERROR: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider

I am trying to set a tag named "GitBranch" on an Azure Resource Group:
When I call the command in PowerShell window -
az tag update --resource-id "/subscriptions/79ca5b...7f/resourceGroups/ccg-afarber2" --subscription "79ca5b...7f" --operation merge --tags GitBranch=Test
then it works:
But when I try the same command in Git Bash window, then it fails.
I have also tried calling the following commands before and also tried both double and single quotes
az login
az account set --subscription "79ca5b....7f"
but the error is still the same:
ERROR: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
And the reason why I am trying to get the command working in bash is because I get the same error for my Azure pipeline task:
- task: AzureCLI#2
displayName: 'Set Resource Group tag'
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az tag update \
--resource-id '/subscriptions/${{ parameters.SubscriptionId }}/resourceGroups/${{ parameters.ResourceGroupName }}' \
--subscription '${{ parameters.SubscriptionId }}' \
--operation Merge --tags \
GitBranch=$(git branch --show-current)
What is happening here please?
On my PC I have azure-cli 2.28.0 installed.

I have found a solution myself!
In a AzureCLI pipeline task, when you run an az cli command, which has parameters starting with a slash, then the MinGW bash will auto-append the current path.
To prevent this, you can prepend the following variable to the az command:
MSYS_NO_PATHCONV=1 az ....
A double slash works too:

How to pass the output from kubectl task to next task in Azure Devops

I am using AKS.I am trying to fetch the IP of the service post my deployment through devops so that I can pass on the IP to the API Management for further configuration. right now my task looks like this
- task: Kubernetes#1
inputs:
connectionType: 'Kubernetes Service Connection'
kubernetesServiceEndpoint: 'string-Conn'
namespace: '<appservices>'
command: 'get'
arguments: 'get services --namespace appservices authsvc --output jsonpath=''{.status.loadBalancer.ingress[0].ip}'''
secretType: 'dockerRegistry'
containerRegistryType: 'Azure Container Registry'
name: 'GetSvc'
when I run the command locally I am getting the IP of the loadbalancer. but how can I pass the output from this task to the next task? previously, when I use azure cli scripts, I can pass the vso set variable as part of the script itself like the one below but not sure how will I add the output of this task to a variable.
inlineScript: |
$something = (az storage container generate-sas --account-name <container> --name armtemplate --permissions r --expiry $(date -u -d "30 minutes" +%Y-%m-%dT%H:%MZ))
Write-Host($something) Write-Output("##vso[task.setvariable variable=SasToken;]$something")

I have followed the approach suggested by Amit Baranes since I am not clear on the script execution assignment without variable name. I have used the Azure cli task and ran it. It was successful
- task: AzureCLI#2
inputs:
azureSubscription: '<Service-Conn>'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
az aks get-credentials -n $(clusterName) -g $(clusterRG)
$externalIp = (kubectl get -n $(ns) services $(svc) --output jsonpath='{.status.loadBalancer.ingress[0].ip}' )
Write-Host($externalIp) Write-Output("##vso[task.setvariable variable=AKSURL;]$externalIp")

We could use the logging command ##vso[task.setvariable variable=SasToken;]$something" to set variables in scripts.
But according to your description, we recommend that you use the output variable to pass the variable IP. For example, assume we have a task called MyTask, which sets an output variable called MyVar. We could use outputs in the same job.
steps:
- task: MyTask#1 # this step generates the output variable
name: ProduceVar # because we're going to depend on it, we need to name the step
- script: echo $(ProduceVar.MyVar) # this step uses the output variable

AKS is unable to pull from ACR even after granting permissions

I have followed this documentation on providing ACR access to AKS : https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks but still i'm getting the authentication failed error. Can someone help me with this?
env:
- name: no_cpu
valueFrom:
resourceFieldRef:
containerName: proxy
resource: requests.cpu
imagePullSecrets:
- name: acr-auth

Make sure you have the acrpull role assigned to the AKS SP on the ACR resource (from the portal, on the IAM tab, or using the script:
#!/bin/bash
AKS_RESOURCE_GROUP=myAKSResourceGroup
AKS_CLUSTER_NAME=myAKSCluster
ACR_RESOURCE_GROUP=myACRResourceGroup
ACR_NAME=myACRRegistry
# Get the id of the service principal configured for AKS
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
# Get the ACR registry resource id
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
# Create role assignment
az role assignment create --assignee $CLIENT_ID --role acrpull --scope $ACR_ID
).
Then create pull secret via command line:
kubectl create secret docker-registry acr-auth --docker-server <acr-login-server> --docker-username <service-principal-ID> --docker-password <service-principal-password> --docker-email <email-address>
or
apiVersion: v1
kind: Secret
metadata:
name: acr-auth
type: docker-registry
data:
username: <base64encoded username>
password: <base64encoded password>
Both are equivalent.

you need to remove imagepullsecrets property from the pod\deployment definition. that way you will instruct kubernetes to use internal aks\acr auth