Reputation: 3961
Azure Pipeline -- Authenticate once to Azure for all subsequent steps
Problem
In an Azure DevOps (ADO) pipeline, I need to run 5+ bash steps that each require authentication to Azure.
I want to authenticate once in the first step, and have the cached token be available for all downstream steps.
I already have a service-principal-backed Azure Resource Manager service connection (screenshot).
Redundant Workarounds
Both of the workarounds below seem redundant because the ARM service connection already has the service principal connection. Moreover, our org will auto-rotate SP secrets every 6 months, so the fewer places to have to update the new SP secret, the better.
Secret Pipeline Variables
This pipeline works if I duplicate the SP creds as manually-created secret Pipeline variables.
Get SP creds from Key Vault
This pipeline is also redundant as I'm using the the ARM Service connection (which has the SP creds) to connect to a Key Vault, to fetch the SP creds. But it works so, ¯\_(ツ)_/¯
Additional Context
I'm using dbt and dbt-sqlserver package, which makes use of the azure-identity Python package to authenticate to an Azure SQL database (db).
This seems somewhat related to this question
Upvotes: 4
Views: 2922
Answers (2)
Reputation: 558
Check this blog out: https://www.integration-playbook.io/docs/combining-az-cli-and-azure-powershell-az-modules-in-a-pipeline
Basically you have to add 2 tasks:
- task: AzureCLI@2
displayName: Expose SP credentials as env variables
inputs:
azureSubscription: <YOUR SUBSCRIPTION>
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=SERVICE_PRINCIPAL_ID;]$servicePrincipalId"
echo "##vso[task.setvariable variable=SERVICE_PRINCIPAL_KEY;]$servicePrincipalKey"
echo "##vso[task.setvariable variable=TENANT_ID;]$tenantId"
addSpnToEnvironment: true
- script: |
az login --service-principal --username $SERVICE_PRINCIPAL_ID --password $SERVICE_PRINCIPAL_KEY --tenant $TENANT_ID
displayName: Login to Azure
In first one you store credentials as evn variables thanks to addSpnToEnvironment parameter. And in second one you use them to login to azure.
In all following tasks you don't have to log in again and can use already logged in account like this:
- script: az account show
Upvotes: 2
Reputation: 1152
In the Azure CLI task, we do not need to use the az login cli. And since you have the existing service principal, we recommend you can create an Azure Resource Manager service connection by using the manually and use this new service connection in the Azure CLI task. You can refer this document.
Upvotes: 1
Related Questions
- How to securely login in Az CLI from a DevOps Pipeline
- Connect-AzAccount with Azure Devops Pipeline?
- ERROR: The requested resource requires user authentication: in AzureCLI task build pipeline
- Set git credentials inside a Azure yaml pipeline
- Azure Pipelines agent credentials
- How to implement the equivalent of az login in azure pipeline
- Azure DevOps Pipelines - run YAML pipeline only when previous run was successful
- Azure yaml Pipeline hide password in script
- Create an automation credential from a yaml pipeline
- How to add a manual intervention step in Azure Pipelines yaml