I am trying to install the AzureAD Module with Powershell on an Agent Windows 2019 Maschine in Azure DevOps. The scope is to query Get-AzureADGroupMember and see the members of that Azure AD Group. After running the DevOps Task seems that maschine is remaining in the state below, throwing
no status. Am I missing something?
Install-Module -Name AzureAD -Scope CurrentUser -Force
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Connect-AzureAD
Get-AzureADGroupMember -ObjectId "xxxxx-xxxxx-xxxxxxxx"
The command Connect-AzureAD need to add Credential to connect the AzureAD. By default, the Service Principal ARM Connection couldn't pass the required Credential to this command.
To use the Service Principal ARM Connection to connect Azure Ad, you need to add additional task and script to achieve it.
Here is an example:
steps:
- task: AzureCLI#2
displayName: 'Azure CLI '
inputs:
azureSubscription: kevin0322
scriptType: ps
addSpnToEnvironment: true
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$env:servicePrincipalKey"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"
- powershell: |
az login --service-principal --username $(ARM_CLIENT_ID) --password $(ARM_CLIENT_SECRET) --tenant $(ARM_TENANT_ID)
$aadToken = az account get-access-token --resource-type aad-graph | ConvertFrom-Json
Install-Module -Name AzureAD -Scope CurrentUser -Force
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Connect-AzureAD -AccountId $(ARM_CLIENT_ID) -TenantId $(ARM_TENANT_ID) -AadAccessToken $aadToken.accessToken
Get-AzureADGroupMember -ObjectId "xxx"
displayName: 'PowerShell Script'
You could use Service Principal ARM Connection in Azure CLI task, then you could get the variables related Service Principal(enable addSpnToEnvironment: true ).
In Powershell task, you could use the variables from Azure CLI task to run azure cli command to get the aadtoken for Credential.
Finally, the Connect-AzureAD command could be execute successfully without manually input the username and password.
I checked the script.
The Connect-AzureAD prompts a UI for login
This could be the reason, why there is no progress.
You could pass along the credentials - this will prevent the login prompt.
Connect-AzureAD -Credential $Credential
Related
I am trying to get a diagnostic setting from within an Azure pipeline with the YAML :
steps:
- task: AzureCLI#2
displayName: Ammend Diagnostic Settings
inputs:
azureSubscription: ${{ parameters.environmentServiceConnection }}
scriptLocation: inlineScript
ScriptType: ps
inlineScript: |
#$Diago = Get-AzDiagnosticSetting -ResourceId ""
If I executed the Get-DiagnosticSetting command with my normal 'admin' account I can see the diagnostic settings fine. I am using an SPN for the pipeline and I get the error:
Get-AzDiagnosticSetting : Exception type: ErrorResponseException, Message:
Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an invalid status code 'Forbidden'
So it is something to do with my permissions on my SPN - but I have no idea where the permission would be where I need to check (in Azure) to make sure I can get this to work.
Please assign Contributor/Monitoring Contributor from Azure Built-in Roles to the SPN that is being used by the Azure Pipeline as a service connection to the Subscription.
I tested similarly by using a SPN in PowerShell with the below code :
$ApplicationId=<ClientId>
$SecuredPassword= ConvertTo-SecureString <ClientSecret> -AsPlainText -Force
$TenantId="<tenantId>"
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential
Get-AzDiagnosticSetting -ResourceId "/subscriptions/<Subscription>/resourceGroups/ansuman-resourcegroup/providers/Microsoft.Storage/storageAccounts/cloudshellansuman123"
output:
I have the following PowerShell cmdlet to install PowerShell module when the pipeline is being executed
steps:
- powershell: |
Install-PackageProvider Nuget -Scope CurrentUser -Force
Install-module PSScriptAnalyzer -force -Scope CurrentUser
Install-module PSPesterTest -force -Scope CurrentUser
displayName: 'Install required PowerShell modules'
This however throws an error of "No repository with the name 'PSGallery' was found".
Please, can anyone, point me to a workaround with regards this issue?
There are some problems with your script syntax, please try the following script:
pool:
vmImage: 'windows-2019'
steps:
- task: PowerShell#2
inputs:
targetType: 'inline'
script: |
Install-PackageProvider -Name NuGet -Force -Scope CurrentUser
Install-Module -Name PSScriptAnalyzer -Force -Scope CurrentUser
Install-Module -Name PSPesterTest -Force -Scope CurrentUser
Here is the official document you can refer to.
Edit:
Install-module should be Install-Module.
Moreover,by restoring the PSRespository back to default your problem is hopefully resolved :)
Register-PSRepository -Default
I am trying to create Azure resources with ARM template using Azure PowerShell Pipeline.
My two ARM template JSON files are stored in the same directory where the YAML file and Powershell files are stored
Here is the code of the Powershell file
param (
#Name of the Resource Group of the Image Gallery
[Parameter(Mandatory=$true)]
[string]
$deploymentName,
#Name of the Image Gallery
[Parameter(Mandatory=$true)]
[string]
$rgName
)
New-AzResourceGroupDeployment -Name $deploymentName -ResourceGroupName $rgName `
-TemplateFile '$(System.DefaultWorkingDirectory)/Deploy.json' `
-TemplateParameterFile '$(System.DefaultWorkingDirectory)/DeployParameters.json'
Here is the code of the YAML file
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger: none
pool: 'Default'
#vmImage: 'ubuntu-latest'
steps:
- script: echo Create, Shared Image Gallery!
displayName: 'Run a multiline-line script'
- script: |
echo Add other tasks to build, test, and deploy your project.
echo See https://aka.ms/yaml
displayName: 'Run a multi-line script'
- task: AzurePowerShell#5
inputs:
azureSubscription: 'Visual Studio Enterprise Subscription – MPN(08f41212-2053-434e-b4b3-ace08XXXXXX)'
ScriptType: 'FilePath'
ScriptPath: '$(System.DefaultWorkingDirectory)/Deploy_New.ps1'
ScriptArguments: -deploymentName "WVD" -rgName "WVDRG"
azurePowerShellVersion: LatestVersion
pwsh: true
Here is the error I am getting, I am using self-hosted agent pool running in Windows Server 2019 and PowerShell Core.
020-09-15T15:41:38.8359249Z ##[section]Starting: AzurePowerShell
2020-09-15T15:41:38.8615322Z ==============================================================================
2020-09-15T15:41:38.8615818Z Task : Azure PowerShell
2020-09-15T15:41:38.8616217Z Description : Run a PowerShell script within an Azure environment
2020-09-15T15:41:38.8616582Z Version : 5.173.1
2020-09-15T15:41:38.8616919Z Author : Microsoft Corporation
2020-09-15T15:41:38.8617547Z Help : https://aka.ms/azurepowershelltroubleshooting
2020-09-15T15:41:38.8617935Z ==============================================================================
2020-09-15T15:41:40.0811736Z Generating script.
2020-09-15T15:41:40.1352322Z ========================== Starting Command Output ===========================
2020-09-15T15:41:40.1634699Z ##[command]"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'C:\agent\_work\_temp\1d73a74d-12ca-470b-bd53-c23358ee4e2d.ps1'"
2020-09-15T15:41:41.5971906Z Added TLS 1.2 in session.
2020-09-15T15:41:41.7815293Z ##[command]Import-Module -Name C:\Program Files\PowerShell\Modules\Az.Accounts\1.9.3\Az.Accounts.psd1 -Global
2020-09-15T15:41:42.3907347Z ##[command]Clear-AzContext -Scope Process
2020-09-15T15:41:42.7014316Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2020-09-15T15:41:43.3364066Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud #processScope
2020-09-15T15:41:45.2061727Z ##[command] Set-AzContext -SubscriptionId 08f41212-2053-434e-b4b3-XXXXX -TenantId ***
2020-09-15T15:41:47.5198572Z ##[error]Cannot retrieve the dynamic parameters for the cmdlet. Cannot find path 'C:\agent\_work\3\s\$(System.DefaultWorkingDirectory)\DeployHostPool.json' because it does not exist.
2020-09-15T15:41:47.6342141Z ##[error]PowerShell exited with code '1'.
2020-09-15T15:41:48.1235457Z ##[section]Finishing: AzurePowerShell
Can anyone please help here?
You need to swap those ' single quotes for double-quotes, " in New-AzResourceGroupDeployment.
In PowerShell, double quotes will allow for String Expansion which is what you want, in order to use string expansion syntax like this:
"This computer is called $($env:COMPUTERNAME)"
PS>This computer is called eLope
When you use single quotes, it will always give you a string literal, like so:
'This computer is called $($env:COMPUTERNAME)'
PS>This computer is called $($env:COMPUTERNAME)
In a nightly Azure pipelines build I have 2 tasks:
First I delete and purge a self-signed certificate from a keyvault
Then I import the same self-signed certificate into the keyvault
The reason I do it is to ensure that there is a certain certificate always is available in the keyvault.
Here is my current code:
# purge the self-signed cert from the Keyvault to avoid conflict; ignore failures
- task: AzureCLI#2
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
continueOnError: true
failOnStandardError: false
powerShellErrorActionPreference: 'silentlyContinue'
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
# import the self-signed certificate my-self-signed-cert into the Keyvault
- task: AzurePowerShell#5
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
ScriptType: 'InlineScript'
azurePowerShellVersion: '3.1.0'
Inline: |
$Pwd = ConvertTo-SecureString -String 'MyPassword' -Force -AsPlainText
$Base64 = 'MIIKqQ____3000_CHARS_HERE______1ICAgfQ=='
Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
My question is:
How could I please check if the certificate is maybe already available in the keyvault?
(Because I use ARM templates and the resources keep running and are not deleted, while the pipeline is being run every evening).
And if the certificate is there, how to skip the above 2 tasks (Azure-cli and the PowerShell)?
I don't quite understand how to use conditionals in the pipelines YAML file.
YAML cannot contain conditionals, so what you need to do is to handle the logic inside your powershell scripts.
There is a command for checking if the a given certificate is present in the vault, so how about doing something like this?
$cert = Get-AzureKeyVaultCertificate -VaultName "ContosoKV01" -Name "TestCert01"
if(!$cert) {
$Pwd = ConvertTo-SecureString -String 'MyPassword' -Force -AsPlainText
$Base64 = 'MIIKqQ____3000_CHARS_HERE______1ICAgfQ=='
Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
}
If you for some reason also want the delete and purge og certs you can do that in PowerShell aswell. Not sure why you use both CLI and plain PowerShell in your current setup?
I am trying to deploy a self-signed certificate by using the following pipeline task:
- task: AzurePowerShell#5
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
ScriptType: 'InlineScript'
azurePowerShellVersion: '2.6.0'
Inline: |
$Pwd = ConvertTo-SecureString -String '1234' -Force -AsPlainText
$Base64 = 'MI..............3000.characters.here............M+wICB9A='
Import-AzKeyVaultCertificate -VaultName '${{ parameters.resourceGroupName }}''-my-keyvault' -Name ccg-self-signed-cert -CertificateString $Base64 -Password $Pwd
The 3 Powershell commands listed above work well for me at the PowerShell command prompt.
But when I try run the above pipeline, I get the syntax error:
/pipelines/shared.yml: (Line: 164, Col: 11, Idx: 7111) - (Line: 164,
Col: 11, Idx: 7111): While scanning a simple key, could not find
expected ':'.
What is happening here please?
Is the line 164 with the code $Base64 = '.....' too long for a pipeline script?
Or do I have some other issue?
UPDATE:
After indenting the inline script (thanks, Mathias!), I get another error, surprisingly talking about a "hostname":
##[section]Starting: AzurePowerShell
==============================================================================
Task : Azure PowerShell
Description : Run a PowerShell script within an Azure environment
Version : 5.168.1
Author : Microsoft Corporation
Help : https://aka.ms/azurepowershelltroubleshooting
==============================================================================
Generating script.
========================== Starting Command Output ===========================
##[command]"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\13d4bf76-87b6-4ac4-9bb5-51ef481420d0.ps1'"
##[command]Import-Module -Name C:\Modules\az_2.6.0\Az.Accounts\1.7.5\Az.Accounts.psd1 -Global
##[command]Clear-AzContext -Scope Process
##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud #processScope
##[command] Set-AzContext -SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -TenantId ***
##[error]Invalid URI: The hostname could not be parsed.
##[error]PowerShell exited with code '1'.
##[section]Finishing: AzurePowerShell
Is -VaultName '${{ parameters.resourceGroupName }}''-my-keyvault' a correct way to prepend RG name (passed as param) to the string "-my-keyvault"?
UPDATE 2:
Using -VaultName '${{ parameters.resourceGroupName }}-my-keyvault' has fixed my problem
I would advise on selecting enable system diagnostic and run pipeline one more to get more detailed info