[BUG]: AzurePowerShell@5 does not set environment variables on Windows

danieljurek commented 2 months ago

New issue checklist

[X] I searched for existing GitHub issues
[X] I read pipeline troubleshooting guide
[X] I checked how to collect logs

Task name

AzurePowerShell@5

Task version

5.241.0

Issue Description

In Linux and MacOS, the following environment variables are available to scripts executed in an AzurePowerShell task:

AZURESUBSCRIPTION_SERVICE_CONNECTION_ID
AZURESUBSCRIPTION_CLIENT_ID
AZURESUBSCRIPTION_TENANT_ID

However, on a Windows agent executing the exact same script, only one variable is available:

AZURESUBSCRIPTION_SERVICE_CONNECTION_ID

I would expect to have the client and tenant id also available given that they are available in the Linux/MacOS agents.

This appears to be caused by the fact that the tasks execute differently depending on the platform and the Windows-specific code does not set those environment variables the way that the Linux/MacOS code does.

The Windows-specific code does clear the environment variables (which aren't set) at the end of execution.

Environment type (Please select at least one enviroment where you face this issue)

[X] Self-Hosted
[X] Microsoft Hosted
[ ] VMSS Pool
[ ] Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Windows 2022, Windows 2019

Relevant log output

Linux (expected output):

AZURESUBSCRIPTION_SERVICE_CONNECTION_ID: <redacted, valid value>
AZURESUBSCRIPTION_CLIENT_ID: <redacted, valid value>
AZURESUBSCRIPTION_TENANT_ID: <redacted, valid value>

Windows 2019 (note empty strings where valid values are expected):

AZURESUBSCRIPTION_SERVICE_CONNECTION_ID: <redacted, valid value>
AZURESUBSCRIPTION_CLIENT_ID: 
AZURESUBSCRIPTION_TENANT_ID:

Windows 2022 (note empty strings where valid values are expected):

AZURESUBSCRIPTION_SERVICE_CONNECTION_ID: <redacted, valid value> 
AZURESUBSCRIPTION_CLIENT_ID: 
AZURESUBSCRIPTION_TENANT_ID:


### Full task logs with system.debug enabled

<details>
  <pre> [REPLACE THIS WITH YOUR INFORMATION] </pre>
</details>

### Repro steps

```yml
steps:
        - task: AzurePowerShell@5
          inputs:
            azureSubscription: !!!REPLACE WITH SERVICE CONNECTION NAME!!!
            azurePowerShellVersion: LatestVersion
            pwsh: true
            ScriptType: InlineScript
            Inline: |
              Write-Host "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID: $($env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID)"
              Write-Host "AZURESUBSCRIPTION_CLIENT_ID: $($env:AZURESUBSCRIPTION_CLIENT_ID)"
              Write-Host "AZURESUBSCRIPTION_TENANT_ID: $($env:AZURESUBSCRIPTION_TENANT_ID)"
          displayName: Service connection info

danieljurek commented 2 months ago

This issue prevents federated auth scenarios.

v-schhabra commented 1 month ago

Hi @danieljurek Thanks for reporting this issue. Our team has started investigation on this issue. Will share the latest updates here.

microsoft / azure-pipelines-tasks