Azure DevOps az cli log in as user from pipelines

1
votes

I am trying to create a pipeline in which I'll run terraform configs against an Azure subscription from Azure DevOps pipelines. All works fine, but when I am trying to log in as user with az cli it fails with:

ERROR: Authentication failed due to error of 'Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.' This typically happens when attempting a Microsoft account, which requires interactive login. Please invoke 'az login' to cross check. More details are available at https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
ERROR: Please run 'az login' to setup account.

Although from cli on my local it works to do az log in -u user -p pass

Command was executed from a script, because after log in I'll move to terraform commands which requires those creds:

      - script: |
          az login -u $(u) -p $(p)
          terraform init
          terraform plan

I know it's not a best practice to use an user instead of a service principal, but for now I have to stick with this method. So is there a way to automate az login from Azure DevOps pipelines?

2
azureazure-devopsterraformazure-cli

2 Answers

2
votes
az login -u $(secretUser) -p $(secretPassword)

Put the user ID and password into Azure Key Vault, named secretUser and secretPassword, and then use the AzureKeyVault@1 task to populate it

  - task: AzureKeyVault@1
    inputs:
      ConnectedServiceName: Your Service Connection Name
      KeyVaultName: Your Key Vault Name
      SecretsFilter: 'secretUser,secretPassword'
      RunAsPreJob: true 
  - script: |
      az login -u $(secretUser) -p $(secretPassword)
      terraform init
      terraform plan
2
votes

The Azure CLI task can be used instead of the Script task

It works like the normal script tasks and you select what scripting language you want to run with the scriptTypeproperty:

Type of script: PowerShell/PowerShell Core/Bat/Shell script. Select bash/pscore script when running on Linux agent or batch/ps/pscore script when running on Windows agent. PowerShell Core script can run on cross-platform agents (Linux, macOS, or Windows)

It also takes a service connection reference in the azureSubscription input. The service connection should be of type Azure Resource Manager and can be created either automatically or by using an existing service principal.

The azure connection details are safely stored in the service connection and when your script starts executing Azure CLI has already been logged in using the service connection

Below is an example of how your pipeline task would look

- task: AzureCLI@2
  displayName: Azure CLI
  inputs:
    azureSubscription: <Name of the Azure Resource Manager service connection>
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      terraform init
      terraform plan