使用服务主体从发布管道运行Azure CLI脚本-invalid_client [英] Running Azure CLI script from release pipeline using Service Principal - invalid_client

问题描述

我有一个Azure CLI脚本，该脚本在Cloud Shell中运行得很好，但是当我尝试将其包含在devops发布管道中时遇到麻烦.为了进行调试，我将脚本简化为仅以 Service Principal 登录，然后获取版本...

  az登录--service-principal -u http://[服务主体名称] -p [服务主体密码] --tenant [服务主体租户GUID]az-版本 

...但是仍然会发生相同的错误.

这是我的 Azure CLI 任务的属性:

脚本类型: Shell
脚本位置:内嵌脚本
内联脚本:[ as ]
脚本参数:
访问脚本中的服务主体详细信息: false
使用全局Azure CLI配置: false
工作目录:
出现标准错误失败: false
启用: true
继续出现错误: false *
环境变量:

错误是:

2020-06-15T12:46:39.8710944Z ## [错误]错误代​​码:[1]
2020-06-15T12:46:39.8724737Z ## [error]错误:Azure登录失败
2020-06-15T12:46:39.8728448Z ## [error]脚本失败，并出现以下错误:获取令牌请求返回了http错误:401和服务器响应:{错误":"invalid_client"，"error_description":"AADSTS7000222:提供了客户端密钥已过期.请访问Azure门户为您的应用创建新密钥，或考虑使用证书凭据来提高安全性:

2.在devops中，导航到项目设置-> 服务连接-> 新服务连接-> Azure资源经理-> 服务主体(手动).

然后使用服务主体修复选项，您可以在应用程序注册"页面中从AD应用程序获取值.服务主体ID 是应用程序(客户端)ID ，服务主体密钥是客户端秘密.

要使用Azure CLI访问 Subscription Id 和 Subscription Name ，您可以在Azure门户中找到它们.

输入值后-> 验证-> 验证并保存.

3.在您的 Azure CLI 任务-> Azure Resource Manager连接->在步骤2中选择服务连接.在我的示例中，我测试要获得一个Web我的订阅中带有 az webapp的应用程序显示--name xxxx --resource-group xxxx (注意:无需手动使用 az登录，它将使用在服务连接中自动配置的服务主体登录.

然后运行它并检查结果，效果很好.

I have an Azure CLI script which runs perfectly well in the Cloud Shell but I run into trouble when I try to include it in a devops release pipeline. For debugging purposes I've reduced the script to simply signing-in as a Service Principal and then retrieving the version...

az login --service-principal -u http://[Service Principal name] -p [Service Principal password] --tenant [Service Principal tenant GUID]
az --version

...but it still incurs the same error.

Here are the properties of my Azure CLI task:

Script Type: Shell
Script Location: Inline script
Inline Script: [as above]
Script Arguments:
Access service principal details in script: false
Use global Azure CLI configuration: false
Working Directory:
Fail on Standard Error: false
Enabled: true
Continue on error: false*
Environment Variables:

And the error is:

2020-06-15T12:46:39.8710944Z ##[error]Error Code: [1]
2020-06-15T12:46:39.8724737Z ##[error]Error: Azure login failed
2020-06-15T12:46:39.8728448Z ##[error]Script failed with error: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials
Trace ID: d0f42793-739e-4ce9-9118-5049086aa800
Correlation ID: 2ad50471-9c2a-4c02-a4d0-189efad2f0c8
Timestamp: 2020-06-15 12:46:39Z","error_codes":[7000222],"timestamp":"2020-06-15 12:46:39Z","trace_id":"d0f42793-739e-4ce9-9118-5049086aa800","correlation_id":"2ad50471-9c2a-4c02-a4d0-189efad2f0c8","error_uri":"https://login.microsoftonline.com/error?code=7000222"}

I was able to authenticate as this Service Principal using the Azure Cloud Shell so I'm puzzled as to why I apparently can't do the same from within the release pipeline.

* I have tried with Continue on error: true and although the task completes the same error appears in the output.

解决方案

To use the service principal in Azure CLI, no need to login manually.

For the correct way, please follow the steps below.

1.From the error message, the client secret(i.e. client key) of your service principal is expired. So you need to check it first, navigate to the azure portal -> Azure Active Directory -> App registrations -> All applications -> find the AD App related to your service principal -> Certificates & secrets -> check if the secret is expired. If it is expired, just click New client secret to create a new one and save the value.

2.In devops, navigate to the Project Settings -> Service connections -> New service connection -> Azure Resource Manager -> Service principal (manual).

Then fix the options with your service principal, you can get the values from your AD App in App registration page. The Service Principal Id is the Application (client) ID, the Service principal key is the client secret.

The Subscription Id and Subscription Name is which you want to use Azure CLI to access, you could find them in azure portal.

After input the values -> Verify -> Verify and save.

3.In your Azure CLI task -> Azure Resource Manager connection -> select the service connection in step 2. In my sample, I test to get a web app in my subscription with az webapp show --name xxxx --resource-group xxxx(Note: no need to use az login manually, it will login with the service principal which was configured in the service connection automatically).

Then run it and check the result, it works fine.

这篇关于使用服务主体从发布管道运行Azure CLI脚本-invalid_client的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！