VSTS Build和PowerShell以及AzureAD身份验证(VSTS Build and PowerShell and AzureAD Authentication)
我有一个VSTS项目通过服务主体通过Azure Resource Manager端点连接到Azure订阅。 这适用于通过模板化,参数驱动的部署配置ARM资源的构建。
我还需要将Azure AD组设置为构建的一部分。 我有一个脚本,可以在我的本地机器上正常工作。 当我通过构建部署它并在托管构建控制器上执行时,该脚本最初可能找不到AzureAD模块。 我通过在git Repo中包含脚本并通过以下方式访问它来解决这个问题:
$adModulePath = $PSScriptRoot + "\PsModules\AzureAD\2.0.0.131\AzureAD.psd1" Import-Module $adModulePath
但是,在运行
New-AzureADGroup
时,我现在遇到了另一个问题。 该脚本要求在发出命令之前运行Connect-AzureAD
。 通过硬编码凭证可以正常工作,但我不想这样做,我希望它在创建的SPN的上下文中运行,这是在托管构建控制器上运行脚本。因此,问题是,我是否可以获取Azure PowerShell执行SPN的当前上下文并将其传递给
Connect-AzureAD
以避免以纯文本格式存储凭据? 我错过了一招吗? 还有其他选择吗?我当前的代码如下所示,注释连接在命令中运行良好,就像硬编码值一样。 没有参数的调用提供了登录UI,它终止了构建,因为它显然不是交互式的。
## Login to Azure #$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force #$AdminCredential = New-Object System.Management.Automation.PSCredential ($AdminUserEmailAddress, $SecurePassword) #Connect-AzureAD -Credential $AdminCredential Connect-AzureAD Write-Output "------------------ Start: Group Creation ------------------" $TestForAdminGroup = Get-AzureADGroup -SearchString $AdminGroup $TestForContributorGroup = Get-AzureADGroup -SearchString $ContributorGroup $TestForReaderGroup = Get-AzureADGroup -SearchString $ReaderGroup
谢谢
I have a VSTS project connected via a Service Principal to an Azure subscription through an Azure Resource Manager endpoint. This works fine for my builds that configure ARM resources via templated, parameter driven deployments.
I have an additional requirement to set up Azure AD groups as part of the build. I have a script that works fine from my local machine. When I deployed it via the build and it executed on the hosted build controller, the script could initially not find the AzureAD module. I got around this by including the script in git Repo and accessing it through:
$adModulePath = $PSScriptRoot + "\PsModules\AzureAD\2.0.0.131\AzureAD.psd1" Import-Module $adModulePath
However, I now have another problem when it comes to running
New-AzureADGroup
. The script requiresConnect-AzureAD
to be run before the command is issued. This works fine by hardcoding a credential but I don't want to do this, I want it to run under the context of the SPN created, which is running the scripts on the hosted build controller.So, the question is, can I get the current context of the Azure PowerShell execution SPN and pass that to
Connect-AzureAD
to avoid storing credential in plain text? Am I missing a trick? Are there any alternatives?My current code is as below, the commented connection works fine from the command like with hard coded values. The call with no parameters presents the login UI which terminates the build since it is obviously not interactive.
## Login to Azure #$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force #$AdminCredential = New-Object System.Management.Automation.PSCredential ($AdminUserEmailAddress, $SecurePassword) #Connect-AzureAD -Credential $AdminCredential Connect-AzureAD Write-Output "------------------ Start: Group Creation ------------------" $TestForAdminGroup = Get-AzureADGroup -SearchString $AdminGroup $TestForContributorGroup = Get-AzureADGroup -SearchString $ContributorGroup $TestForReaderGroup = Get-AzureADGroup -SearchString $ReaderGroup
Thanks
原文:https://stackoverflow.com/questions/46554136
最满意答案
表单ID丢失。获取值
The form id was missing .Got the value
相关问答
更多-
我建议你没有几个具有相同ID的控件。 使用img控件渲染图像,img控件将使用预览类。 这就是我通常这样做的方式: 标记: