Azure DevOps-自定义任务-具有Azure身份验证的PowerShell [英] Azure DevOps - Custom Task - PowerShell with Azure Authentification

问题描述

到目前为止，我已使用Azure PowerShell任务在Azure上下文中执行PowerShell脚本( http://www.donovanbrown.com/post/how-do-i-upload-a-custom-task-for-build )在Azure上下文中运行PowerShell脚本，即针对Azure DevOps中的连接终结点进行身份验证.

So far I used the Azure PowerShell task to execute PowerShell scripts in an Azure Context (https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-powershell?view=vsts). Due to generalization efforts I want now to create a custom task (see e.g. http://www.donovanbrown.com/post/how-do-i-upload-a-custom-task-for-build) that runs a PowerShell script in an Azure Context, i.e. that authenticates against a connection endpoint in Azure DevOps.

我该如何实现?

推荐答案

首先，您需要服务主体(请参见例如 https://docs.microsoft.com/zh-cn/azure/devops/pipelines/library/connect-to-azure?view=vsts ).

First of all you need a service principal (see e.g. https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-1.1.0) and a service connection (see e.g. https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=vsts).

在task.json中的自定义任务中，添加输入以能够选择服务连接:

In the custom task in task.json add an input to be able to select the service connection:

"inputs": [
        {
            "name": "ConnectedServiceName",
            "type": "connectedService:AzureRM",
            "label": "Azure RM Subscription",
            "defaultValue": "",
            "required": true,
            "helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
        }
]

在任务(powershell脚本)中，您通过以下方式获取输入

In the task (the powershell script) you get this input via

$serviceNameInput = Get-VstsInput -Name ConnectedServiceNameSelector -Default 'ConnectedServiceName'
$serviceName = Get-VstsInput -Name $serviceNameInput -Default (Get-VstsInput -Name DeploymentEnvironmentName)

然后进行身份验证:

try {
    $endpoint = Get-VstsEndpoint -Name $serviceName -Require
    if (!$endpoint) {
        throw "Endpoint not found..."
    }
    $subscriptionId = $endpoint.Data.SubscriptionId
    $tenantId = $endpoint.Auth.Parameters.TenantId
    $servicePrincipalId = $endpoint.Auth.Parameters.servicePrincipalId
    $servicePrincipalKey = $endpoint.Auth.Parameters.servicePrincipalKey

    $spnKey = ConvertTo-SecureString $servicePrincipalKey -AsPlainText -Force
    $credentials = New-Object System.Management.Automation.PSCredential($servicePrincipalId,$spnKey)

    Add-AzureRmAccount -ServicePrincipal -TenantId $tenantId -Credential $credentials
    Select-AzureRmSubscription -SubscriptionId $subscriptionId -Tenant $tenantId

    $ctx = Get-AzureRmContext
    Write-Host "Connected to subscription '$($ctx.Subscription)' and tenant '$($ctx.Tenant)'..."
} catch {
    Write-Host "Authentication failed: $($_.Exception.Message)..." 
}

清除脚本开头和结尾处的上下文很有用.您可以通过

It is useful to clear the context at the beginning respectively the end of the script. You can do that via

Clear-AzureRmContext -Scope Process
Disable-AzureRmContextAutosave

开头和

Disconnect-AzureRmAccount -Scope Process
Clear-AzureRmContext -Scope Process

最后.

这篇关于Azure DevOps-自定义任务-具有Azure身份验证的PowerShell的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！