Use Azure CLI within Azure Powershell Task

5
votes

I want to create a Powershell script which executes some AzureRm... commands and follows those up with some Az commands. Reason being that some commands are only available via Az.

When trying to execute these scripts in a release pipeline, the script always fails with the following error:

ERROR: Please run 'az login' to setup account.

Executing the Az commands in a Azure CLI task work as expected, because Az Login is executed by the task.

I don't want to pass the secret required to login to the script if at all possible. I would rather fall back to separating the scripts into two steps in the pipeline.

Is it possible to use the Azcommands within a Azure Powershell task without passing the secrets manually?

Minimal example:

  • Create a new release pipeline
  • Add a task Azure PowerShell
  • Use inline script
  • As script, execute az account show
3
azure-devopsazure-pipelinesazure-powershellazure-pipelines-release-pipelineazure-cli
which commands?4c74356b41
az cosmosdb list-keys and the other cosmos commands are required in my case, but az account show does not work eitherAlex AIT
powershellgallery.com/packages/CosmosDB/2.1.9.95 try this?4c74356b41
I will take a look at that, thanks!Alex AIT

3 Answers

1
votes

When I have mixed commands I put this into my Azure Powershell task

az login --service-principal --username "$(ServicePrincipal)" --password "$(AzureDevOps-ServicePrincipal-Secret)" --tenant "$(Azure_Tenant)"

I have my SP and Tenant IDs as a variables and the Secret for the SP stored in Azure KeyVault linked to a Library Variable group. You can alternatively just stored the secret in a normal Variable/Variable Group and hit the padlock icon to secure it.

You may need to run az account set -s $(SubscriptionName) if the SP has access to multiple subscriptions in the same tenant.

1
votes

The short term solution I already had in place was passing the ServicePrincipal information into the powershell script and executing az login manually (same as Bevan's answer below).

My long term solution was to replace all Azure CLI calls with "Az Powershell" commands. Luckily, most commands are available by now.

A couple of commands don't have an equivalent commandlet. But if they are available via ARM, you can figure out an alternative command with Powershell.

Many of them involve using New-AzResource/New-AzureRmResource or Invoke-AzResourceAction/Invoke-AzureRmResourceAction

# AzureCLI
az cosmosdb list-keys
# Powershell:
$keys = Invoke-AzResourceAction -Action listKeys `
    -ResourceType "Microsoft.DocumentDb/databaseAccounts" -ApiVersion "2015-04-08" `
    -ResourceGroupName $resourceGroupName -Name $accountName
0
votes

Anyway, it wont work like that, because you have to authenticate to az utility separately. az cli and powershell do not share connection information. you can try and use az step with some command before powershell step. that would force az to auth and after that you can use it inside powershell ste.