从VSTS通过Azure PowerShell脚本到目标VM上的PowerShell脚本的双跳凭据 [英] Double hopping credentials from VSTS through Azure PowerShell script to PowerShell script on target VM
问题描述
我需要以域管理员的身份在目标VM上自动执行脚本.问题是,虚拟机没有公开.我也不应该重写脚本,因为它是由团队成员编写的,我宁愿为我的团队提供一种适用于他们且可自动化的解决方案,而不是每次都重写他们的脚本. 当前过程看起来像这样
I need to automate execution of scripts on target VMs as a domain administrator. The problem is, VMs don't have public. I also should not rewrite the script as it has been written by a team member and I'd rather provide my team with a solution that works for them and is automatable, instead of rewriting their scripts every time. The current process looks like thi
- VSTS使用Azure PowerShell脚本command1.ps1 启动构建过程
- Command1.ps1在目标VM上安装Azure自定义脚本扩展
- 自定义脚本扩展下载并执行以域管理员身份运行command3.ps1的command2.ps1
我遇到的问题是我无法将凭据从VSTS传递到command2.ps1 请为我推荐如何正确执行此操作. 我找到的选项:
The problem I'm having is I'm unable to pass credentials from VSTS to command2.ps1 Please, recommend me how I should do that properly. The options I found:
向目标VM添加IP公共地址,配置WinRM,执行command2.ps1,删除公共IP地址
Add IP public address to the target VM, configure WinRM, execute command2.ps1, delete public IP address
我敢肯定有更好的方法可以做到这一点. command1.ps1:
I'm sure there is a better way of doing this. command1.ps1:
param
(
[Parameter(Mandatory)]
[String]$resourceGroupName,
[Parameter(Mandatory)]
[String]$targetVMname,
[Parameter(Mandatory)]
[String]$vmLocation,
[Parameter(Mandatory)]
[String]$FileUri,
[Parameter(Mandatory)]
[String]$nameOfTheScriptToRun,
[Parameter(Mandatory)]
[String]$customScriptExtensionName,
[Parameter(Mandatory)]
[String]$domainAdminName,
[Parameter(Mandatory)]
[String]$domainAdminPassword
)
$domainAdminPasswordSecureString = ConvertTo-SecureString -String $domainAdminPassword -AsPlainText -Force
$DomainCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $domainAdminName, $domainAdminPasswordSecureString
Set-AzureRmVMCustomScriptExtension -Argument "-DomainCredentials $DomainCredentials" `
-ResourceGroupName $resourceGroupName `
-VMName $targetVMname `
-Location $vmLocation `
-FileUri $FileUri `
-Run $nameOfTheScriptToRun `
-Name $customScriptExtensionName
Remove-AzureRmVMCustomScriptExtension -Force `
-ResourceGroupName $resourceGroupName `
-VMName $targetVMname `
-Name $customScriptExtensionName
command2.ps1:
command2.ps1:
param
(
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$DomainCredentials
)
$url = "https://raw.githubusercontent.com/x/command2.ps1"
$output = "C:\command2.ps1"
Invoke-WebRequest -Uri $url -OutFile $output
Start-Process -FilePath powershell.exe -ArgumentList $output -Credential $DomainCredentials
推荐答案
您实际上没有双跳问题,因为您没有在节点上执行命令,而是启动了扩展程序,该扩展程序下载了脚本并执行它.
You don't actually have the double hop problem, because you are not executing the command on the node, you are launching the extension, which downloads the script and executes it.
所以您需要做的是这样
Set-AzureRMVMCustomScriptExtension ... -Argument "-domainAdminName admin -domainAdminPassword passw0rD" -VM $Vm
$vm | Update-AzureVM
,并在您的脚本中(该脚本在计算机内部被调用,所以command2.ps1)执行:
and in your script (which is invoked INSIDE the machine, so command2.ps1) do:
$domainAdminPasswordSecureString = ConvertTo-SecureString -String $domainAdminPassword -AsPlainText -Force
$DomainCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $domainAdminName, $domainAdminPasswordSecureString
并将适当的参数粘贴到第二个脚本中(以便它接受这些参数)
and paste the appropriate params into the second script (so it accepts those)
此外,您不需要中间脚本,只需下载"https://raw.githubusercontent.com/x/command2.ps1"并使用参数执行
Also, you don't need the intermediate script, you can just download "https://raw.githubusercontent.com/x/command2.ps1" and execute it with arguments
这篇关于从VSTS通过Azure PowerShell脚本到目标VM上的PowerShell脚本的双跳凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
