I am trying to create a pipeline in which I'll run terraform configs against an Azure subscription from Azure DevOps pipelines. All works fine, but when I am trying to log in as user with az cli it fails with:
ERROR: Authentication failed due to error of 'Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.' This typically happens when attempting a Microsoft account, which requires interactive login. Please invoke 'az login' to cross check. More details are available at https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
ERROR: Please run 'az login' to setup account.
Although from cli on my local it works to do az log in -u user -p pass
Command was executed from a script, because after log in I'll move to terraform commands which requires those creds:
- script: |
az login -u $(u) -p $(p)
terraform init
terraform plan
I know it's not a best practice to use an user instead of a service principal, but for now I have to stick with this method. So is there a way to automate az login from Azure DevOps pipelines?
The Azure CLI task can be used instead of the Script task
It works like the normal script tasks and you select what scripting language you want to run with the scriptTypeproperty:
Type of script: PowerShell/PowerShell Core/Bat/Shell script. Select
bash/pscore script when running on Linux agent or batch/ps/pscore
script when running on Windows agent. PowerShell Core script can run
on cross-platform agents (Linux, macOS, or Windows)
It also takes a service connection reference in the azureSubscription input. The service connection should be of type Azure Resource Manager and can be created either automatically or by using an existing service principal.
The azure connection details are safely stored in the service connection and when your script starts executing Azure CLI has already been logged in using the service connection
Below is an example of how your pipeline task would look
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
terraform init
terraform plan
az login -u $(secretUser) -p $(secretPassword)
Put the user ID and password into Azure Key Vault, named secretUser and secretPassword, and then use the AzureKeyVault#1 task to populate it
- task: AzureKeyVault#1
inputs:
ConnectedServiceName: Your Service Connection Name
KeyVaultName: Your Key Vault Name
SecretsFilter: 'secretUser,secretPassword'
RunAsPreJob: true
- script: |
az login -u $(secretUser) -p $(secretPassword)
terraform init
terraform plan
Related
I create Azure VM (windows) via arm template from Azure Pipeline. But I have to Add New Property Item to Registry without RDP.
Is there a secure way to do that with ARM template or SDK?
Any advice would be appreciated.
Best
You could do that with many different ways. One method is to perform an ARM deployment and use commandToExecute inside it. You could also perform that using a Powershell task without having to login in the VM through Azure portal using az cli.
An example can be found below:
- task: AzureCLI#2
displayName: execute command inside vm
inputs:
azureSubscription: 'subscription'
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: 'az vm run-command invoke --command-id RunPowerShellScript --name $(vm_name) -g $(vnet_rg_name) --scripts "hostname"'
In the scripts section instead of the hostname you should add a powershell to edit your registry key.
Documented article:
https://medium.com/#geralexgr/execute-powershell-command-without-username-password-on-azure-virtual-machine-8142ade31fd0
I am flushing out a CI/CD process with Azure SQL DB deployed via Azure DevOps Pipelines. I am using the Adventure works database and set up a visual studio project importing the schema.
I have a pipeline configured to publish the dacpac and run a subsequent deployment using the SqlAzureDacpacDeployment#1 and am getting the below error:
2020-10-10T02:36:34.1421137Z ##[error]Unable to connect to target server 'server.database.windows.net'. Please verify the connection information such as the server name, login credentials, and firewall rules for the target server.
2020-10-10T02:36:34.1605855Z ##[error]Windows logins are not supported in this version of SQL Server.
2020-10-10T02:36:34.2143924Z ##[error]The Azure SQL DACPAC task failed. SqlPackage.exe exited with code 1.Check out how to troubleshoot failures at https://aka.ms/sqlazuredeployreadme#troubleshooting-
2020-10-10T02:36:34.2522414Z ##[section]Finishing: SqlAzureDacpacDeployment
I am using windows latest and here is my YAML pipeline:
trigger:
- master
pool:
vmImage: 'windows-latest'
jobs:
- job: BuildDeploySQL
variables:
- group: SQLServerLogin
steps:
- task: VSBuild#1
inputs:
solution: '**\*.sln'
- task: PublishPipelineArtifact#1
inputs:
targetPath: '$(Pipeline.Workspace)'
publishLocation: 'pipeline'
- task: SqlAzureDacpacDeployment#1
inputs:
azureSubscription: 'Subscription Name here'
AuthenticationType: 'server'
ServerName: 'server.database.windows.net'
DatabaseName: 'AdventureWorks'
SqlUsername: 'sqladmin'
SqlPassword: ${{ variables.Password }}
deployType: 'DacpacTask'
DeploymentAction: 'Publish'
DacpacFile: '$(Pipeline.Workspace)\s\AdventureWorks\bin\Debug\*.dacpac'
IpDetectionMethod: 'AutoDetect'
I have tried to deploy from my local machine and it is successful using the same sql credentials. Additionally I have confirmed that the SQL Database has allow Azure Services enabled. I have also tried to deploy the dacpac to a new empty database and get this same error.
I do believe this could be just a generic error message as my deployment logs do show a successful connection to the server:
2020-10-10T02:36:18.7912964Z Invoke-Sqlcmd -ServerInstance "server.database.windows.net" -Database "AdventureWorks" -Username "sqladmin" -Password ****** -Inputfile
....
2020-10-10T02:36:33.0554895Z Initializing deployment (Start)
** Update
Just to rule out I did create a new SQL Login with DBO_owner permissions and ran the deployment using that and got the same error message.
Above error is probably because the build agent ip is not allow-listed in the firewall rules of your Azure SQL Database. See the this link about IP ranges for Microsoft-hosted agents.
You can check the firewall rules setting of your azure database, and try allowing all IP ranges.
You can aslo add Azure CLi task to get the agent ip and set a firewall rule for your azure database to allow the agent ip dynamically in your pipeline. See this thread.
steps:
- task: AzureCLI#2
displayName: 'Azure CLI '
inputs:
azureSubscription: 'azureSubscription'
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$agentIp = (New-Object net.webclient).downloadstring("http://checkip.dyndns.com") -replace "[^\d\.]"
az sql server firewall-rule create -g $(rg) -s $(server) -n test --start-ip-address $agentIp --end-ip-address $agentIp
You can also create a self-hosted agent on your local machine/Azure VM. and run your pipeline on this self-hosted agent. Note to allow-list your local machine ip for the azure database.
The root issue was the password secret contained characters which escaped Powershell. Wrapping the secret in "" resolved it.
I have a small test project with a crude start of a pipeline at https://github.com/veikkoeeva/dockerservice/blob/main/azure-pipelines.yml. It's currently just to check it's possible to connect to the Azure, so
trigger:
- master
pool:
vmImage: windows-latest
steps:
- task: AzureCLI#2
displayName: Az --version
inputs:
azureSubscription: 'TestManagedIdentityConnection'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az --version
- task: AzureCLI#2
inputs:
azureSubscription: 'TestManagedIdentityConnection'
scriptType: 'pscore'
scriptLocation: 'scriptPath'
scriptPath: '$(System.DefaultWorkingDirectory)\devops.ps1'
But this fails on login step like so
The service connection scope is on subscription level. It appears the hosted image tries to connect to an Internal Azure token endpoint. Is there a way to use managed identity that can sign in the CLI using hosted images? What could it look like using self-hosted and managed identity?
This seem to work with "the usual" service principal. But it appears developers are often forbidden to create SPNs to company AD so creating a service connections fails. It appears often it's possible to create a service connection using managed identity, but here we are with this problem. :)
<edit: Reading from https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest the options could be either az login --identity or a certificate. With az login --identity it appears there is still the same problem of calling the same endpoint as earlier and it errors with the same reason.
<edit 2: Duh! In the image it's called with --identity switch already!
I want to get the vnet id of an azure vnet into a variable using azure cli.
i then want to use this variable in the azure devops pipeline and populate a variable there?
How can i do this?
You can use the Azure CLI task making use of the az network vnet commands, e.g.
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az network vnet show -g MyResourceGroup -n MyVNet
In the same task's inline script you're free to use any powershell, so could also set variables in that script for use in subsequent steps. Hope this helps!
I am deploying containers from Azure Container Registry using Azure Release and the Azure App Service Deploy task. I have a Subscription Level Service connection defined. Container Registry Settings are set as:
Registry or Namespace: <registry>.azurecr.io
Image: rrez/vnext/dev/booking
Tag: latest
Startup command: "dotnet", "Booking.API.dll"
The task completes successfully, but when reviewing in Container Log on the App Service I see:
2019_02_25_RD00155D9B2488_docker.log:
2019-02-25 22:27:07.101 INFO - Issuing docker pull: imagename =<registry>.azurecr.io/rrez/vnext/dev/booking:latest
2019-02-25 22:27:07.260 INFO - Issuing docker pull: imagename =<registry>.azurecr.io/rrez/vnext/dev/booking:latest
2019-02-25 22:27:07.410 INFO - Issuing docker pull <registry>.azurecr.io/rrez/vnext/dev/booking:latest
2019-02-25 22:27:07.487 ERROR - docker pull returned STDERR>> Error response from daemon: Get https://<registry>.azurecr.io/v2/rrez/vnext/dev/booking/manifests/latest: unauthorized: authentication required
This seems to be an ACR access issue, but I would expect the Subscription Level Service Connection to be authority enough.
Since this is Azure Release there is no YAML configuration available to add additional authentication details.
I pasted the YAML from the Release Task into the successfully completing Build and received the same error.
The YAML is:
- task: AzureRmWebAppDeployment#4
displayName: 'Azure App Service Deploy: P-RREZ-BOOKING-PREPROD'
inputs:
ConnectionType: AzureRM
azureSubscription: 'RightRez.Services SubscriptionSC'
appType: webAppContainer
WebAppName: 'P-RREZ-BOOKING-PREPROD'
deployToSlotOrASE: true
ResourceGroupName: '<ResourceGroup>-RG'
DockerNamespace: <registry>.azurecr.io
DockerRepository: rrez/vnext/dev/booking
DockerImageTag: latest
StartupCommand: '"dotnet", "Booking.API.dll"'
Not sure where the problem lies.
Have you set the Access level in the ACR? If not please try setting up one from here. I had similar issue and I tried setting up the role assignment and it worked.