Question

由于最近推动从Azure删除Entra App秘密,并在服务连接中采用工作负荷身份联合会的做法,我已将客户从服务负责人处除名,并在其中增加了联邦证书。

我该如何通过这个服务负责人登录Azure?

先前此登录是通过以下代码进行的:

Write-Host Object Id = $objectId
    $key = ConvertTo-SecureString -String  $env:servicePrincipalKey -AsPlainText -Force
    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:servicePrincipalId, $key
    Connect-AzAccount -ServicePrincipal -TenantId $env:tenantId -Credential $Credential

我尝试了很多文件,但找不到任何可接受的文件。寻求帮助。

Is there any other way I can achieve this via pipeline. I have a release pipeline which uses service connection based on Workload Identity Federation (automatic). The Service Principal made out of this step has federated credentials. In the next step in my pipeline, I am using a powershell script which has this login step.

This is my service principal with Federated Creds:

Answer 1

在管道中,您可以尝试如下:

添加 < a href=> "https://learn.microsoft.com/en-us/azure/devops/piplines/taks/reference/azure-cli-v2?view=azure-piplines" rel="nofolre noreferrer" > Azure CLI任务 , 并允许在任务上选择 addSpnToenviron ( Access chain service chain prich ) (脚本 < /strong_Access chain > 中 < test > 主要服务细节) 。此选项将提供变量, 以便您获得登录证书。

您可以在任务上执行以下命令,将登录证书作为管道变量通过,以便同一工作中随后的步骤能够使用证书。
```
echo "##vso[task.setvariable variable=SP_CLIENT_ID]$servicePrincipalId" 
echo "##vso[task.setvariable variable=SP_ID_TOEKN]$idToken"
echo "##vso[task.setvariable variable=TENANT_ID]$tenantId"
```

在随后的步骤中,您可以使用 Azure CLI 命令“ < strongcode> az login- service-principal ” 或 Azure PowerShell cmdlet “Connect-AzAccount-Servicepress proper ” 登录 Azure, 以获取上述证书。

az login --service-principal --tenant $(TENANT_ID) -u $(SP_CLIENT_ID) --federated-token $(SP_ID_TOEKN) --allow-no-subscriptions

Connect-AzAccount -ServicePrincipal -Tenant $(TENANT_ID) -ApplicationId $(SP_CLIENT_ID) -FederatedToken $(SP_ID_TOEKN) -Environment AzureCloud -Scope Process

以下是作为参考的管道样本。

To run the Azure CLI commands in pipelines, ensure the Azure CLI tool has been installed on the agent machine.
To the Azure PowerShell cmdlet in pipelines, ensure the Azure PowerShell has been installed on the agent machine.

    steps:
    - task: AzureCLI@2
      displayName:  Get login Credentials 
      inputs:
        addSpnToEnvironment: true
        azureSubscription: MyArmConnection
        scriptType: bash
        scriptLocation: inlineScript
        inlineScript: |
          echo "##vso[task.setvariable variable=SP_CLIENT_ID]$servicePrincipalId" 
          echo "##vso[task.setvariable variable=SP_ID_TOEKN]$idToken"
          echo "##vso[task.setvariable variable=TENANT_ID]$tenantId"
    
    - bash: az login --service-principal --tenant $(TENANT_ID) -u $(SP_CLIENT_ID) --federated-token $(SP_ID_TOEKN) --allow-no-subscriptions
      displayName:  Login Azure using az login 
    
    - pwsh: Connect-AzAccount -ServicePrincipal -Tenant $(TENANT_ID) -ApplicationId $(SP_CLIENT_ID) -FederatedToken $(SP_ID_TOEKN) -Environment AzureCloud -Scope Process
      displayName:  Login Azure using Connect-AzAccount

友情链接