VSTS Build和PowerShell和AzureAD身份验证 [英] VSTS Build and PowerShell and AzureAD Authentication

问题描述

我有一个VSTS项目，该项目通过服务主体通过Azure资源管理器终结点连接到Azure订阅.这对于通过模板化，参数驱动的部署配置ARM资源的我的构建工作正常.

I have a VSTS project connected via a Service Principal to an Azure subscription through an Azure Resource Manager endpoint. This works fine for my builds that configure ARM resources via templated, parameter driven deployments.

作为构建的一部分，我还有其他要求设置Azure AD组.我有一个可以在本地计算机上正常运行的脚本.当我通过构建将其部署并在托管构建控制器上执行时，脚本最初无法找到AzureAD模块.我通过将脚本包含在git Repo中并通过以下方式访问它来解决了这个问题:

I have an additional requirement to set up Azure AD groups as part of the build. I have a script that works fine from my local machine. When I deployed it via the build and it executed on the hosted build controller, the script could initially not find the AzureAD module. I got around this by including the script in git Repo and accessing it through:

$adModulePath = $PSScriptRoot + "\PsModules\AzureAD\2.0.0.131\AzureAD.psd1"
Import-Module $adModulePath 

但是，现在在运行New-AzureADGroup时遇到另一个问题.发出命令之前，脚本需要运行Connect-AzureAD.通过对凭证进行硬编码可以很好地实现此目的，但是我不想这样做，我希望它在创建的SPN的上下文中运行，该SPN在托管的构建控制器上运行脚本.

However, I now have another problem when it comes to running New-AzureADGroup. The script requires Connect-AzureAD to be run before the command is issued. This works fine by hardcoding a credential but I don't want to do this, I want it to run under the context of the SPN created, which is running the scripts on the hosted build controller.

因此，问题是，我是否可以获取Azure PowerShell执行SPN的当前上下文并将其传递给Connect-AzureAD以避免将凭据存储为纯文本?我想念一个把戏吗?有其他选择吗?

So, the question is, can I get the current context of the Azure PowerShell execution SPN and pass that to Connect-AzureAD to avoid storing credential in plain text? Am I missing a trick? Are there any alternatives?

我当前的代码如下，注释的连接在命令中可以像硬编码值一样正常工作.没有参数的调用会显示登录UI，该登录UI会终止构建，因为它显然不是交互式的.

My current code is as below, the commented connection works fine from the command like with hard coded values. The call with no parameters presents the login UI which terminates the build since it is obviously not interactive.

## Login to Azure
#$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force
#$AdminCredential = New-Object System.Management.Automation.PSCredential ($AdminUserEmailAddress, $SecurePassword)
#Connect-AzureAD -Credential $AdminCredential

Connect-AzureAD

Write-Output "------------------ Start: Group Creation ------------------"

$TestForAdminGroup = Get-AzureADGroup -SearchString $AdminGroup
$TestForContributorGroup = Get-AzureADGroup -SearchString $ContributorGroup
$TestForReaderGroup = Get-AzureADGroup -SearchString $ReaderGroup

谢谢

推荐答案

这是可能的.我今天为我自己的 VSTS扩展工作了不久前发布.我的扩展程序使用Azure Resource Manager endpoint作为输入.

This is possible. Got it working today for my own VSTS extension that I released a while ago. My extension is using a Azure Resource Manager endpoint as input.

现在使用下面的代码在Microsoft Hosted Visual Studio 2017代理程序池上运行它.有关更多信息，请参见我的关于如何使用的信息VSTS代理上的AzureAD PowerShell cmdlet .

Running it now on a Microsoft Hosted Visual Studio 2017 agent pool using the below code. See for more information my post on how to use AzureAD PowerShell cmdlets on VSTS agent.

Write-Verbose "Import AzureAD module because is not on default VSTS agent"
$azureAdModulePath = $PSScriptRoot + "\AzureAD\2.0.1.16\AzureAD.psd1"
Import-Module $azureAdModulePath 

# Workaround to use AzureAD in this task. Get an access token and call Connect-AzureAD
$serviceNameInput = Get-VstsInput -Name ConnectedServiceNameSelector -Require
$serviceName = Get-VstsInput -Name $serviceNameInput -Require
$endPointRM = Get-VstsEndpoint -Name $serviceName -Require

$clientId = $endPointRM.Auth.Parameters.ServicePrincipalId
$clientSecret = $endPointRM.Auth.Parameters.ServicePrincipalKey
$tenantId = $endPointRM.Auth.Parameters.TenantId

$adTokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/token"
$resource = "https://graph.windows.net/"

$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    resource      = $resource
}

$response = Invoke-RestMethod -Method 'Post' -Uri $adTokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token

Write-Verbose "Login to AzureAD with same application as endpoint"
Connect-AzureAD -AadAccessToken $token -AccountId $clientId -TenantId $tenantId

这篇关于VSTS Build和PowerShell和AzureAD身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！