search

microsoft / azure-pipelines-tasks

Tasks for Azure Pipelines
https://aka.ms/tfbuild
MIT License
3.5k stars 2.61k forks source link

Azure CLI task does not propagate az cli session to bash inline script #8669

Closed andreacassioli closed 6 years ago

andreacassioli commented 6 years ago

I am using AzureDevOps in a cloud subscription. In a build pipeline I want to use a bash task that must use some az cli command.

In my understanding the Azure CLI task is supposed to authenticate using az login so that I can run commands for the az cli. Note that we have a service principal setup and all permissions are fine. A colleague of mine has set up similar tasks using power shell, and it works fine.

Now, I want to use an inline script (basically I want to use make files). But to my surprise the the cli fails to authenticate, proposing me to login using az login.

OK, If I include an az login, then the task gets stuck waiting for a browser to open! Here is the output:

2018-10-22T19:27:30.2433096Z ##[section]Starting: Azure CLI 
2018-10-22T19:27:30.2436460Z ==============================================================================
2018-10-22T19:27:30.2437034Z Task         : Azure CLI
2018-10-22T19:27:30.2437173Z Description  : Run a Shell or Batch script with Azure CLI commands against an azure subscription
2018-10-22T19:27:30.2437343Z Version      : 1.140.1
2018-10-22T19:27:30.2437478Z Author       : Microsoft Corporation
2018-10-22T19:27:30.2437608Z Help         : [More Information](http://go.microsoft.com/fwlink/?LinkID=827160)
2018-10-22T19:27:30.2437792Z ==============================================================================
2018-10-22T19:27:30.4053938Z [command]/usr/bin/az --version
018-10-22T19:27:30.4053938Z [command]/usr/bin/az --version
2018-10-22T19:27:38.4197123Z azure-cli (2.0.47)
2018-10-22T19:27:38.4198150Z 
2018-10-22T19:27:38.4198730Z acr (2.1.6)
2018-10-22T19:27:38.4199132Z acs (2.3.6)
2018-10-22T19:27:38.4199499Z advisor (0.6.0)
2018-10-22T19:27:38.4199791Z ams (0.2.3)
2018-10-22T19:27:38.4200151Z appservice (0.2.5)
2018-10-22T19:27:38.4200994Z backup (1.2.1)
2018-10-22T19:27:38.4201331Z batch (3.4.0)
2018-10-22T19:27:38.4201691Z batchai (0.4.3)
2018-10-22T19:27:38.4201986Z billing (0.2.0)
2018-10-22T19:27:38.4202279Z botservice (0.1.1)
2018-10-22T19:27:38.4202577Z cdn (0.1.1)
2018-10-22T19:27:38.4202831Z cloud (2.1.0)
2018-10-22T19:27:38.4203083Z cognitiveservices (0.2.3)
2018-10-22T19:27:38.4203724Z command-modules-nspkg (2.0.2)
2018-10-22T19:27:38.4204073Z configure (2.0.18)
2018-10-22T19:27:38.4204827Z consumption (0.4.0)
2018-10-22T19:27:38.4205274Z container (0.3.5)
2018-10-22T19:27:38.4205674Z core (2.0.47)
2018-10-22T19:27:38.4206013Z cosmosdb (0.2.1)
2018-10-22T19:27:38.4206398Z dla (0.2.3)
2018-10-22T19:27:38.4206719Z dls (0.1.3)
2018-10-22T19:27:38.4207042Z dms (0.1.1)
2018-10-22T19:27:38.4207409Z eventgrid (0.2.0)
2018-10-22T19:27:38.4207745Z eventhubs (0.3.0)
2018-10-22T19:27:38.4208274Z extension (0.2.2)
2018-10-22T19:27:38.4209095Z feedback (2.1.4)
2018-10-22T19:27:38.4209403Z find (0.2.12)
2018-10-22T19:27:38.4209659Z hdinsight (0.1.0)
2018-10-22T19:27:38.4211170Z interactive (0.3.30)
2018-10-22T19:27:38.4223850Z iot (0.3.3)
2018-10-22T19:27:38.4224464Z iotcentral (0.1.2)
2018-10-22T19:27:38.4225173Z keyvault (2.2.4)
2018-10-22T19:27:38.4225584Z lab (0.1.1)
2018-10-22T19:27:38.4225923Z maps (0.3.2)
2018-10-22T19:27:38.4226305Z monitor (0.2.4)
2018-10-22T19:27:38.4226636Z network (2.2.6)
2018-10-22T19:27:38.4226967Z nspkg (3.0.3)
2018-10-22T19:27:38.4227340Z policyinsights (0.1.0)
2018-10-22T19:27:38.4227682Z profile (2.1.1)
2018-10-22T19:27:38.4228213Z rdbms (0.3.2)
2018-10-22T19:27:38.4228731Z redis (0.3.2)
2018-10-22T19:27:38.4229061Z relay (0.1.2)
2018-10-22T19:27:38.4229521Z reservations (0.4.0)
2018-10-22T19:27:38.4229900Z resource (2.1.4)
2018-10-22T19:27:38.4230345Z role (2.1.7)
2018-10-22T19:27:38.4230669Z search (0.1.1)
2018-10-22T19:27:38.4230994Z servicebus (0.3.0)
2018-10-22T19:27:38.4231319Z servicefabric (0.1.4)
2018-10-22T19:27:38.4231598Z signalr (1.0.0)
2018-10-22T19:27:38.4231917Z sql (2.1.4)
2018-10-22T19:27:38.4232204Z storage (2.2.2)
2018-10-22T19:27:38.4232649Z telemetry (1.0.0)
2018-10-22T19:27:38.4233130Z vm (2.2.4)
2018-10-22T19:27:38.4233593Z 
2018-10-22T19:27:38.4234289Z Python location '/opt/az/bin/python3'
2018-10-22T19:27:38.4235559Z Extensions directory '/home/vsts/.azure/cliextensions'
2018-10-22T19:27:38.4235992Z 
2018-10-22T19:27:38.4236427Z Python (Linux) 3.6.5 (default, Oct  4 2018, 05:49:01) 
2018-10-22T19:27:38.4236838Z [GCC 5.4.0 20160609]
2018-10-22T19:27:38.4237183Z 
2018-10-22T19:27:38.4237530Z Legal docs and information: aka.ms/AzureCliLegal
2018-10-22T19:27:38.4237887Z 
2018-10-22T19:27:38.4238326Z 
2018-10-22T19:27:38.4487224Z [command]/usr/bin/az login --service-principal -u *** -p *** --tenant ***
2018-10-22T19:27:48.6830164Z [
2018-10-22T19:27:48.6831124Z   {
2018-10-22T19:27:48.6831646Z     "cloudName": "AzureCloud",
2018-10-22T19:27:48.6835021Z     "id": "e44f8ea3-f70b-4734-877a-504f2ee64f14",
2018-10-22T19:27:48.6835685Z     "isDefault": true,
2018-10-22T19:27:48.6836410Z     "name": "Maersk Line Self-Managed DynamicNet 01 ARM",
2018-10-22T19:27:48.6838316Z     "state": "Enabled",
2018-10-22T19:27:48.6839132Z     "tenantId": "***",
2018-10-22T19:27:48.6839783Z     "user": {
2018-10-22T19:27:48.6840373Z       "name": "***",
2018-10-22T19:27:48.6840981Z       "type": "servicePrincipal"
2018-10-22T19:27:48.6841381Z     }
2018-10-22T19:27:48.6841732Z   }
2018-10-22T19:27:48.6842001Z ]
2018-10-22T19:27:48.6864966Z [command]/usr/bin/az account set --subscription e44f8ea3-f70b-4734-877a-504f2ee64f14
2018-10-22T19:27:49.3932706Z [command]/bin/bash /tmp/azureclitaskscript1540236450401.sh
2018-10-22T19:27:49.6737921Z 
2018-10-22T19:27:50.4977573Z WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CYJ8LQJ8B to authenticate.
2018-10-22T19:33:35.2482041Z ##[error]The operation was canceled.
2018-10-22T19:33:35.2511463Z ##[section]Finishing: Azure CLI

The script 

2018-10-22T19:27:49.3932706Z [command]/bin/bash /tmp/azureclitaskscript1540236450401.sh

only contains az login. My suspicion is that running bash does not propagate the whole environment and therefore the login is lost.

Any help is appreciated.

andreacassioli commented 6 years ago

bump....

amaljg commented 6 years ago

@andreacassioli - Sorry about the delayed response. The Azure CLI task logs-in automatically using the service principal specified in selected the Service Connection. So you don't need to login again. The above error is expected since you have specified 'az login' without specifying the credentials (say service principal id & key).

Can you try running some other az cli command such as 'az account show'?

If it still fails, can you provide the following details?

  1. Run the build/release pipeline with verbose logs enabled by setting the variable 'system.debug' to 'true' and share the logs.
  2. Which agent pool are you using? If you are using hosted pool, you need to use 'Hosted Linux Preview' or 'Hosted Ubuntu 1604' for running bash scripts.
andreacassioli commented 6 years ago

I think I have not been clear: the log you see is the Azure CLI log (you see that it actually log in and show details.

Then the task calls my inline bash script

2018-10-22T19:27:49.3932706Z [command]/bin/bash /tmp/azureclitaskscript1540236450401.sh

That script does not call az login but other commands: at that point I am asked to login again!

bishal-pdMSFT commented 6 years ago

@andreacassioli Looking at the logs, the task did actually authenticate successfully

2018-10-22T19:27:38.4487224Z [command]/usr/bin/az login --service-principal -u -p --tenant 2018-10-22T19:27:48.6830164Z [ 2018-10-22T19:27:48.6831124Z { 2018-10-22T19:27:48.6831646Z "cloudName": "AzureCloud", 2018-10-22T19:27:48.6835021Z "id": "e44f8ea3-f70b-4734-877a-504f2ee64f14", 2018-10-22T19:27:48.6835685Z "isDefault": true, 2018-10-22T19:27:48.6836410Z "name": "Maersk Line Self-Managed DynamicNet 01 ARM", 2018-10-22T19:27:48.6838316Z "state": "Enabled", 2018-10-22T19:27:48.6839132Z "tenantId": "", 2018-10-22T19:27:48.6839783Z "user": { 2018-10-22T19:27:48.6840373Z "name": "***", 2018-10-22T19:27:48.6840981Z "type": "servicePrincipal" 2018-10-22T19:27:48.6841381Z } 2018-10-22T19:27:48.6841732Z } 2018-10-22T19:27:48.6842001Z ]

can you paste the logs for the case when your script did not contains az login and task failed to authenticate.

andreacassioli commented 6 years ago

Hi, thank you for the reply. Digging more into the issue, it turned out to be an issue related with the command I am trying to run in the Azure CLI. It seems it does not support service principals!

So the tasks works fine, I have tried to run commands like az account show and had no issue.

Thanks again!