I'm trying to run a task within GitLab CI using the official MS Azure-CLI docker image. It fails at the first step, logging in using the "az login" command. I'm using a service principal login with a secret, all stored as GitLab CI variables. Using this command with the CI job:
az login --service-principal --username="${AZURE_APP_ID}" --password="${AZURE_CLIENT_SECRET}" --tenant=${AZURE_TENANT_ID}
gives me the error:
usage error: --service-principal --username NAME --password SECRET --tenant TENANT
Yet if I run the Azure-CLI docker image locally and run the exact same command it works fine. Why is this not working? What format do I need to use to get the damn thing working?
Debug with Print Driven Development style.
Before the az login line echo all the variables to see if they have the proper values.
I could reproduce the error you provided only in one occasion, when the command line contained this only: az login --service-principal
If any more arguments or garbage are provided, the error is different. You should check if Gitlab CI even executes those commands you think it should execute.
Related
I have a shell script that deploys containers to Azure Container Instances that runs fine locally using the Azure CLI (on Linux) but I'm having trouble performing the login to Azure from a pipeline task.
Locally the following command will open a browser to login:
docker login azure
The docs suggest that to do the same in a pipeline task I can pass in a client id and client secret. I think that it should look like this:
docker login azure --client-id $servicePrincipalId --client-secret $servicePrincipalKey --tenant-id $tenantId
However, when I run this in my pipeline I get this error:
unknown flag: --client-id
docker login azure --help run locally tells me that --client-id is a valid flag, so I'm wondering is there another way to do this in an Azure DevOps pipeline?
At the moment the problem is that there is no docker cli azure module installed on Microsoft Hosted agents, Installation instructions can be found here:
https://docs.docker.com/cloud/aci-integration/
The workaround I have used to solve the problem:
- script: |
# Add the compose-cli module;
curl -L https://raw.githubusercontent.com/docker/compose-cli/main/scripts/install/install_linux.sh | sh
# Login to Azure using docker CLI, you can use variables here;
# Note: Docker#2 task with Login Action will not help here;
docker login azure --client-id xxx --client-secret yyy --tenant-id zzz
# Check Context list;
docker context aci list
# Create ACI Context;
docker context create aci myaci --location <Azure Location> --resource-group <RG NAME> --subscription-id <subscription ID>
# Check It again.
docker context list
The Azure pipeline task for Docker allows you to use a service connection for the 'docker login' style task. To use a username / password combination, you'll start by creating a Service Connection of type 'Docker Registry'. Then specify 'other' for type. Here you can enter your credentials. The password is obfuscated for security as you would expect.
Now you can use this service connection in your azure devops pipeline docker tasks.
Sources cited:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-registry-service-connection
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-hub-or-others
I have a strange situation where when I use a local powershell script in my visual studio project that logs in using a service principal and then is able to associate a specific subscription.
#login with service principal
az login --service-principal --username $APPLICATION_CLIENT_ID --password $SECRET --tenant $TENANT --allow-no-subscriptions
#set the subscription we want to use
az account set --subscription $SUBSCRIPTION_ID
and i'm able to create resource groups etc, once I've picked the right subscription.
Now I need to do the same thing in a Dockerized environment.
admins:~ admin$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e507c6639a1 mcr.microsoft.com/dotnet/core/sdk:3.1 "bash" 2 days ago Up 2 days adoring_goodall
I login into the container and I run these commands:
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
apt-get install nodejs
npm install -g azure-functions-core-tools#3 --unsafe-perm true
az login --service-principal -u $APPLICATION_ID -p $SECRET --tenant $TENANT_ID --allow-no-subscriptions
This works just fine. Output I get back from the login is identical to output from my local workstation via powershell.
PS /usr/share/powershell> az login --service-principal --username $AZ_APPLICATION_CLIENT_ID --password $AZ_SECRET --tenant $TENANT --allow-no-subscriptions
{
"cloudName": "AzureCloud",
"id": "<tenantId>",
"isDefault": true,
"name": "N/A(tenant level account)",
"state": "Enabled",
"tenantId": "<tenantID>",
"user": {
"name": "<ApplicationClientID>",
"type": "servicePrincipal"
}
}
But when I try to associate the subscription, I get the following error message:
The subscription of '<subscription ID>' doesn't exist in cloud 'AzureCloud'
I've even gone ahead and install powershell on the docker container just so i can copy paste from my local ps script into the docker env. But I'm getting the same results.
Any tips?
Edit 1
In the docker container, I ran "az login"... and went ahead and authenticated my "device" at https://microsoft.com/devicelogin
Once I did that, all the commands listed above in my question started working the same way in the docker environment as it does on the actual local workstation.
I thought the idea behind creating a service principal was to avoid the "interactive" steps needed to use the az cli. how can i set things up so that when i deploy my azure function app via a script, it can run unattended? I want to be able to use dockerized containers to deploy this app to different azure tenants ..(dev, qa and production)
Going back to the drawing board / reading the docs to see what I missed but any suggestions would be appreciated.
Thanks.
As far as I know, the output of the command az login --service-principal --username $AZ_APPLICATION_CLIENT_ID --password $AZ_SECRET --tenant $TENANT --allow-no-subscriptions also includes the subscription ID like "id": "<subscriptionId>" instead of "id": "<tenantId>" in your output. You can show the default subscription with the command az account show.
I found that there are two variables $APPLICATION_CLIENT_ID and $APPLICATION_ID in your questions. Not sure you have a typo or using the wrong variable there. Please make sure you input the correct subscription id value when you run az account set -s <subscriptionId> and other parameters values via echo the environment variable value.
You can also get a list of subscriptions for the logged-in account with the command az account list and check if the subscription Id does exist in the specific tenant.
At last, you may need to re-auth the CLI with az login. Or, by comparing the Az CLI version with your local workstation, you may need to reinstall or upgrade it.
Edit
You can verify if the service principal indeed belongs to the subscription. Search the display name of App registration in the IAM of subscriptions.
I have cloned my app from GitHub into the Azure shell. When I tried to create and deploy the webapp I am facing few errors. First I tried az webapp up -n newappname and I got the below error
Then I created a web app myself in the portal and just tried deploying it from Azure shell using the command az webapp up -n newappname_createdatportal. I got the below error
Any suggestions here will be much appreciated!
It seems it was a bug for old Azure CLI version, run az upgrade --yes and restart your prompt solve the problem for me.
Here are something to notice:
my Azure CLI version: 2.18.0
the command I use:
az upgrade --yes
#restart session and run this for authorizing
az login
az webapp up -n webappnamecreated
Here is the reproduce screenshot:
Here is the successful screenshot:
I tried updating the az command line as other answer suggested but didn't work for me.
Instead of doing az webapp up -n appname, try first creating an appservice plan with application name appname then only after it has been deployed enter the command az webpp up -n appname. This worked for me.
I am trying to push docker image into azure container registries repository using power-shell command as follows:-
docker push containerregone.azurecr.io/azure-vote-front:V1
it gives me following error
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I have tried to find help related to this using following documentation
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-faq
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
but it gives Azure CLI commands.
I have also tried to do this using following link
https://stackoverflow.com/questions/50817945/what-is-the-powershell-equivalent-to-az-acr-login#:~:text=There%20is%20no%20single%20powershell,docker%20login%20to%20log%20in.
but they are using docker login. i don't have docker login.
My Question :-
How can we accomplish this using power-shell without docker login?
I'm afraid you cannot accomplish that using PowerShell without the command docker login. Let's take a look at the command for the ACR credential.
When you use the CLI command az acr login with the ACR directly without a docker daemon running, then you will get the error similar with this:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is
the docker daemon running?
It means the CLI command az acr login depends on the docker server. When you run the CLI command az acr login --expose-token as the document shows, it just exposes the access token of the ACR without login for docker. You also need to log in yourself for docker. You can see the details here.
For the PowerShell for ACR, the only one is to get the ACR credential: Get-AzContainerRegistryCredential. But it gets the passwords for you only. It's not the access token, nor will log in for you too.
So, if you want to use PowerShell command to get the ACR credential, then you also need to log in yourself with the docker command.
Before push or pull, to azure, you need to login first by az-cli
az login
az acr login -n your-registry
or by docker
docker login your-registry.azurecr.io
Docker login command in my powershell script to authenticate to Azure Container Registry gives authentication required error while running as part of my CI/CD setup in Azure DevOps, while the exact same code authenticates perfectly from my local powershell session. To make sure the values are the same, I have hardcoded the values in the script for all variables: $registeryLoginServer, $SP_APP_ID, $SP_PASSWD. Checked docker versions on both local powershell and during build, the same version. How can the same code with the same arguments can result in a successful authentication locally and not during build?
"$SP_PASSWD" | docker login $registeryLoginServer -u "$SP_APP_ID" --password-stdin
Following authentication with service principle as described in this page.
Try echo "$SP_PASSWD" | docker login $registeryLoginServer -u "$SP_APP_ID" --password-stdin
Just specifying "$SP_PASSWD" won't pipe the value of variable to stdin.
If you are on windows, you might need to disable the newline added by echo command using set /p
echo | set /p="your_password" | docker login --username your_username --password-stdin