9

I am unable to trigger azure pipeline build from azureCLI task

Task :

- task: AzureCLI@2
  inputs:
    azureSubscription: 'Free Trial(My subscription)'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az --version
      echo "Running : az account show"
      az account show
      #export AZURE_DEVOPS_EXT_PAT='mypat'
      $env:AZURE_DEVOPS_EXT_PAT='mypat'
      az pipelines create --name newPipeline --org https://dev.azure.com/AbiNilOrg/ --project azure-devops-kubernetes-terraform --branch master

The output with error :

Running : az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "***",
  "id": "73c1af29-384c-4574-bd88-92d7bb392cfc",
  "isDefault": true,
  "managedByTenants": [],
  "name": "Free Trial",
  "state": "Enabled",
  "tenantId": "***",
  "user": {
    "name": "***",
    "type": "servicePrincipal"
  }
}
WARNING: This command is in preview and under development. Reference and support 
levels: https://aka.ms/CLI_refstatus
ERROR: The requested resource requires user authentication: 
https://dev.azure.com/AbiNilOrg/azure-devops-kubernetes- 
terraform/_apis/serviceendpoint/endpoints
##[error]Script failed with exit code: 1

I understand that azure is unable to form the correct URI to hit the rest point

ERROR: The requested resource requires user authentication: 
https://dev.azure.com/AbiNilOrg/azure-devops-kubernetes- 
terraform/_apis/serviceendpoint/endpoints

The suffix serviceendpoint/endpoints of the URI isnt correct.

ADO guys, if have any idea on this can please help!

Thanks in advace! Nilotpal

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
Nilotpal
  • 3,237
  • 4
  • 34
  • 56
  • "requires user authentication" - do you know if your service principal has rights to perform actions on that endpoint? – Nick.Mc Jul 11 '21 at 08:35
  • Does this answer your question? [How to securely login in Az CLI from a DevOps Pipeline](https://stackoverflow.com/questions/64502148/how-to-securely-login-in-az-cli-from-a-devops-pipeline) – 030 Jan 06 '22 at 07:12

2 Answers2

7

When you set env:AZURE_DEVOPS_EXT_PAT you still need to login via calling:

az devops login --organization https://dev.azure.com/contoso

because:

If you have already signed in with az login interactively or using user name and password, then you don't have to provide a token as az devops commands now support sign in through az login. However, service principal log in via az login isn't supported, in which case a PAT token is required.

And here this task behing the scene login via service principal what you also see on account show:

  "user": {
    "name": "***",
    "type": "servicePrincipal"
  }

For more details please check documentation here

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • Thanks rzysztof Madej. az devops login --organization https://dev.azure.com/contoso seems to be waiting for the user to enter the token. How can i type the token in a running task. I had already set the env variable for the PAT. The job is indefinitely waiting. – Nilotpal Jul 11 '21 at 12:12
  • 1
    Can you try to do this on regular powershell task? – Krzysztof Madej Jul 11 '21 at 12:13
  • Yes it worked with simple bash scripts. AzureCLI task seems have bug and dosent works – Nilotpal Jul 13 '21 at 12:30
  • It was probably not a bug. Basically, you were already aothenticated and thus was a glitch. – Krzysztof Madej Jul 13 '21 at 12:50
1

Setting the AZURE_DEVOPS_EXT_PAT environment variable to a Personal Access Token with Build (Read & Execute) permissions, and running the command below without explicitly logging in, worked out for me on a GitHub workflow.

az pipelines build queue --definition-name $azure_devops_cd_pipeline_name --organization $azure_devops_organisation_url --project $project_name --branch $git_branch

I would expect this to work in Azure DevOps as well.

ccoutinho
  • 3,308
  • 5
  • 39
  • 47