Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure Pipeline -- Authenticate once to Azure for all subsequent steps

Tags:

azure-pipelines

azure-cli

azure-pipelines-yaml

Problem

In an Azure DevOps (ADO) pipeline, I need to run 5+ bash steps that each require authentication to Azure.

I want to authenticate once in the first step, and have the cached token be available for all downstream steps.

I already have a service-principal-backed Azure Resource Manager service connection (screenshot).

Redundant Workarounds

Both of the workarounds below seem redundant because the ARM service connection already has the service principal connection. Moreover, our org will auto-rotate SP secrets every 6 months, so the fewer places to have to update the new SP secret, the better.

Secret Pipeline Variables

This pipeline works if I duplicate the SP creds as manually-created secret Pipeline variables.

Get SP creds from Key Vault

This pipeline is also redundant as I'm using the the ARM Service connection (which has the SP creds) to connect to a Key Vault, to fetch the SP creds. But it works so, ¯\_(ツ)_/¯

Additional Context

I'm using dbt and dbt-sqlserver package, which makes use of the azure-identity Python package to authenticate to an Azure SQL database (db).

This seems somewhat related to this question

like image 897
Anders Swanson Avatar asked Sep 18 '25 06:09

Anders Swanson

1 Answers

Check this blog out: https://www.integration-playbook.io/docs/combining-az-cli-and-azure-powershell-az-modules-in-a-pipeline

Basically you have to add 2 tasks:

- task: AzureCLI@2
  displayName: Expose SP credentials as env variables
  inputs:
    azureSubscription: <YOUR SUBSCRIPTION>
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      echo "##vso[task.setvariable variable=SERVICE_PRINCIPAL_ID;]$servicePrincipalId"
      echo "##vso[task.setvariable variable=SERVICE_PRINCIPAL_KEY;]$servicePrincipalKey"
      echo "##vso[task.setvariable variable=TENANT_ID;]$tenantId"
    addSpnToEnvironment: true

- script: |
    az login --service-principal --username  $SERVICE_PRINCIPAL_ID --password $SERVICE_PRINCIPAL_KEY --tenant $TENANT_ID
  displayName: Login to Azure

In first one you store credentials as evn variables thanks to addSpnToEnvironment parameter. And in second one you use them to login to azure.

In all following tasks you don't have to log in again and can use already logged in account like this:

- script: az account show
like image 160
wziska Avatar answered Sep 21 '25 13:09

wziska
Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!