1

I have a set of small scripts written i PowerShell using the Az module that perform some maintenance tasks as part of a release pipeline in Azure DevOps. One of these scripts use the Azure CLI for one of its operations so I need to authenticate with both Azure PowerShell and Azure CLI in the same devops task in my pipeline.

I know I can split up the script and run one section from an Azure CLI task and another from an Azure PowerShell task, but I was hoping to keep it all clean and together. I prefer the clarity and tooling when using Az-PowerShell, but since there is not yet parity between az-cli and az-powershell I sometimes need to use the former.

I may also be able to read env vars from an Azure CLI task and transfer them to PowerShell to do az login from there, but I was hoping there was a cleaner way to do this. Ideally an AzureCLIAndPowerShell task or something like that.

Is there some way to perform a headless az login on a Microsoft hosted agent from within a script launched by an Azure PowerShell task?

Or to be more precise: Is there a way to use both Az-Powershell and Azure-CLI in an authenticated state within the same task in an Azure DevOps Pipeline?

Thomas
  • 1,512
  • 3
  • 12
  • 37

2 Answers2

1

So here is what I have done. This I have tested so switch to an Azure@CLI2 and this should get you access to both To authenticate via azure powershell from CLI Connect-AzAccount -KeyVaultAccessToken $(az account get-access-token --resource https://vault.azure.net --query accessToken --output tsv) -AccessToken $(az account get-access-token --query accessToken --output tsv) -AccountId $userId["value"]

If you want to read KV data -KeyVaultAccessToken is required.

You can reverse this some and get an access token from azure PowerShell, but I have not found a way to use it to login. In Azure PowerShell you can run (Get-AzAccessToken).Token That will give you the access Token. You might be able to do some tickery with it, but right now The easist method I would say is use the Azure@CLI2 pass in the servicePrincipal like normal and then use the above azure cli to Azure PowerShell.

Ron
  • 421
  • 3
  • 9
  • Thanks for the tip @Ron. This is a pretty cool approach. I did not know I could extract tokens like that. As a test I grabbed the generic token using `az account get-access-token --query accessToken --output tsv` and used it with `Connect-AzAccount -AccessToken` and that appears to have worked. I needed the user id from `az account show --query user.name --output tsv` as well, but that seems to work! – Thomas May 05 '23 at 06:14
-3

You can use the Azure CLI task to run the whole scripts instead of using the Azure PowerShell task. Because the Azure CLI task can be used to execute both Azure CLI commands and Azure PowerShell commands.

You can set the Azure CLI task like as below in your pipeline.

  • In YAML pipeline.
  - task: AzureCLI@2
    displayName: 'Execute scripts'
    inputs:
      azureSubscription: <the ARM service connection>
      scriptType: pscore   # You can select 'pscore' or 'ps'. However,'pscore' is recommended.
      scriptLocation: inlineScript
      inlineScript: |
        <the scripts>
  • In classic pipeline.

enter image description here

Bright Ran-MSFT
  • 5,190
  • 1
  • 5
  • 12
  • Hi Bright! Thanks for the reply. I tried running it through the AzureCLI task, but it does not include the Az module which means I would have to rewrite every command to using the azure-cli instead. I was hoping there was a way to authenticate both the cli and Az-powershell so that I could use them interchangeably throughout my scripts since there is not yet feature parity between them. – Thomas Oct 04 '22 at 06:19
  • Hi @Thomas, I took some further attempts on my side. If I executed the script has only Azure CLI commands or only Azure PowerShell commands on the Azure CLI task, it could work. However, if the script mixed Azure CLI commands and Azure PowerShell commands, it did not work. Looks like the Azure CLI task also cannot support the mixed scripts. – Bright Ran-MSFT Oct 04 '22 at 07:19
  • @Thomas, Currently, you may have to split the Azure CLI commands and Azure PowerShell commands from you script into two separate scripts. – Bright Ran-MSFT Oct 04 '22 at 07:22
  • Another way maybe you can consider is trying to find and switch the Azure CLI commands to the Azure PowerShell commands which have the same functions, or switch the Azure PowerShell commands to Azure CLI commands. – Bright Ran-MSFT Oct 04 '22 at 07:26
  • I think I'll stick to running them as separate tasks for now. It's only commands that modify App Configuration keys that need the CLI for now so isolating that is not a huge overhead. Would love to have feature parity for powershell at some point though. Personally, I find it much easier to work with than the CLI. – Thomas Oct 04 '22 at 10:05