VSTS 构建和 PowerShell 和 AzureAD 身份验证 [英] VSTS Build and PowerShell and AzureAD Authentication

问题描述

我有一个 VSTS 项目，该项目通过 Azure 资源管理器端点通过服务主体连接到 Azure 订阅.这适用于我通过模板化、参数驱动部署配置 ARM 资源的构建.

I have a VSTS project connected via a Service Principal to an Azure subscription through an Azure Resource Manager endpoint. This works fine for my builds that configure ARM resources via templated, parameter driven deployments.

我有一个额外的要求，即在构建过程中设置 Azure AD 组.我有一个在本地机器上运行良好的脚本.当我通过构建部署它并在托管构建控制器上执行时，脚本最初找不到 AzureAD 模块.我通过在 git Repo 中包含脚本并通过以下方式访问它来解决这个问题:

I have an additional requirement to set up Azure AD groups as part of the build. I have a script that works fine from my local machine. When I deployed it via the build and it executed on the hosted build controller, the script could initially not find the AzureAD module. I got around this by including the script in git Repo and accessing it through:

$adModulePath = $PSScriptRoot + "PsModulesAzureAD2.0.0.131AzureAD.psd1"
Import-Module $adModulePath 

但是，我现在在运行 New-AzureADGroup 时遇到了另一个问题.该脚本要求在发出命令之前运行 Connect-AzureAD.这通过对凭证进行硬编码可以很好地工作，但我不想这样做，我希望它在创建的 SPN 的上下文中运行，它在托管的构建控制器上运行脚本.

However, I now have another problem when it comes to running New-AzureADGroup. The script requires Connect-AzureAD to be run before the command is issued. This works fine by hardcoding a credential but I don't want to do this, I want it to run under the context of the SPN created, which is running the scripts on the hosted build controller.

那么，问题是，我能否获取 Azure PowerShell 执行 SPN 的当前上下文并将其传递给 Connect-AzureAD 以避免以纯文本形式存储凭据?我错过了一个技巧吗?有其他选择吗?

So, the question is, can I get the current context of the Azure PowerShell execution SPN and pass that to Connect-AzureAD to avoid storing credential in plain text? Am I missing a trick? Are there any alternatives?

我当前的代码如下，注释连接在命令中工作正常，就像硬编码值一样.不带参数的调用显示了终止构建的登录 UI，因为它显然不是交互式的.

My current code is as below, the commented connection works fine from the command like with hard coded values. The call with no parameters presents the login UI which terminates the build since it is obviously not interactive.

## Login to Azure
#$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force
#$AdminCredential = New-Object System.Management.Automation.PSCredential ($AdminUserEmailAddress, $SecurePassword)
#Connect-AzureAD -Credential $AdminCredential

Connect-AzureAD

Write-Output "------------------ Start: Group Creation ------------------"

$TestForAdminGroup = Get-AzureADGroup -SearchString $AdminGroup
$TestForContributorGroup = Get-AzureADGroup -SearchString $ContributorGroup
$TestForReaderGroup = Get-AzureADGroup -SearchString $ReaderGroup

谢谢

推荐答案

这是可能的.今天让它为我自己的 VSTS 扩展工作不久前发布.我的扩展使用 Azure Resource Manager 端点 作为输入.

This is possible. Got it working today for my own VSTS extension that I released a while ago. My extension is using a Azure Resource Manager endpoint as input.

现在使用以下代码在 Microsoft Hosted Visual Studio 2017 代理池上运行它.有关详细信息，请参阅我的 关于如何使用的帖子VSTS 代理上的 AzureAD PowerShell cmdlet.

Running it now on a Microsoft Hosted Visual Studio 2017 agent pool using the below code. See for more information my post on how to use AzureAD PowerShell cmdlets on VSTS agent.

Write-Verbose "Import AzureAD module because is not on default VSTS agent"
$azureAdModulePath = $PSScriptRoot + "AzureAD2.0.1.16AzureAD.psd1"
Import-Module $azureAdModulePath 

# Workaround to use AzureAD in this task. Get an access token and call Connect-AzureAD
$serviceNameInput = Get-VstsInput -Name ConnectedServiceNameSelector -Require
$serviceName = Get-VstsInput -Name $serviceNameInput -Require
$endPointRM = Get-VstsEndpoint -Name $serviceName -Require

$clientId = $endPointRM.Auth.Parameters.ServicePrincipalId
$clientSecret = $endPointRM.Auth.Parameters.ServicePrincipalKey
$tenantId = $endPointRM.Auth.Parameters.TenantId

$adTokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/token"
$resource = "https://graph.windows.net/"

$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    resource      = $resource
}

$response = Invoke-RestMethod -Method 'Post' -Uri $adTokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token

Write-Verbose "Login to AzureAD with same application as endpoint"
Connect-AzureAD -AadAccessToken $token -AccountId $clientId -TenantId $tenantId

这篇关于VSTS 构建和 PowerShell 和 AzureAD 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！