How to authenticate to Azure from DevOps Pipeline PowerShell task
We have a repository where Azure Automation Runbooks
are stored and we wanted to automatically publish every new version automatically into the Azure Automation Resource
account.
Azure Pipeline
was an obvious solution. Still, it took me some time to figure out, how to authenticate to an Azure Resource
from Pipeline PowerShell
task (not the same thing as Azure PowerShell
task!). The solution to this problem was mentioned at bzzzt.io/post/2021-02/2021-02-28-powershell.. so kudos to that author!
Btw I couldn't use
Azure Automation
built-in Source Code feature because all our accounts use MFA, so PAT cannot be used for authentication. Also, I couldn't use theAzure PowerShell
pipeline task (which is authenticated to Azure by default), because I needed access to committed repository files so I could upload them to our Runbook.
Solution
The solution to the problem "how to authenticate to Azure from Pipeline PowerShell task
" is to leverage the possibility to export credentials used in the Azure PowerShell
task, so they can be used later in the following tasks.
Working solution can then look like a DevOps Pipeline
with 3 tasks:
Azure CLI
task for Connecting to Azure and exporting credentials for later usePowershell
task for Connecting to Azure using exported credentials and getting an authentication token for GraphAzure CLI
task for Disconnecting from Azure
Prerequisites
Before we begin we have to create a Service Connection (the account that will be used to make a connection to Azure Resources)
For my use case, I use Azure Resource Manager
Connecting to Azure and exporting credentials for later use
In the picture below you can see that we are creating Azure CLI
task that will run shell
code for exporting credentials and tenantID variables that we will use later in following PowerShell
task for connecting to Azure.
For this, to work you have to enable Access service principal details in script
Connecting to Azure using exported credentials and getting an authentication token for Graph
Now when we have credentials for making connection to Azure we will use them.
This is where the magic happens. We use variables defined in the first task for making a connection to Azure.
"Installing Az.Accounts module"
Install-Module Az.Accounts -Force
"Connecting to Azure"
$credential = New-Object System.Management.Automation.PSCredential ("${env:SPID}", (ConvertTo-SecureString ${env:SPKEY} -AsPlainText -Force))
Connect-AzAccount -Credential $Credential -Tenant ${env:TID} -ServicePrincipal
Disconnecting from Azure
In last task we just disconnect our Azure connection.