We are facing some issues with all the pipeline a specific Azure DevOps project. When we are running it getting below error.
All these projects are calling KeyVault from the code to get the secret during build (we are using Build Cake extension) , it is failing now in pipeline. All these pipelines were working previously, even the pipelines working previously (not modified) also not working under same project.
{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/xxxxxxxxxxxxx/, https://sts.windows.net/xxxxxxxxxxxxx/, https://sts.windows.net/xxxxxxxxxxxxx/, found https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/."}}
`- task: AzureCLI#2
displayName: 'Cake Build with Azure CLI and Dotnet'
inputs:
scriptType: bash
scriptLocation: inlineScript
azureSubscription: 'Found-TEST'
addSpnToEnvironment: true
inlineScript: |
az account set -s "XXXX-XXXXX-XXXXXX-"
az account list
dotnet run --project ${{parameters.project}}`
Steps/fixes we have followed
Updated PAT Checked Service connection – it is correct
Tried to access KeyVault from pipeline. Working.
Tested the code locally to get the secret – Working
We have set the subscription properly before calling dotnet project
There are few related open issues on github:
[BUG] Since 2 days our pipeline can not get secrets from the keyvault because not the defined TenantId is used #5908
[BUG] Since 2 days our pipeline can not get secrets from the keyvault because not the defined TenantId is used #29902
As a workaround for the moment, you could set the AAD Tenant Id as environment variable (powershell sample):
- task: AzureCLI#2
displayName: 'Cake Build with Azure CLI and Dotnet'
inputs:
scriptType: pscore
scriptLocation: inlineScript
azureSubscription: 'Found-TEST'
addSpnToEnvironment: true
inlineScript: |
az account set -s "XXXX-XXXXX-XXXXXX-"
az account list
$env:AZURE_TENANT_ID = "$($env:tenantId)";
dotnet run --project ${{parameters.project}}
Related
From a devops build pipeline, I'd like to run a bicep file for a deployment into a resource group.
My devops service connection is names '365response-tfssc-dev', as seen below:
My yaml job is as follows:
- job: deployAzure
displayName: deploy bicep to Azure
pool:
vmImage: "ubuntu-latest"
dependsOn: [waitForValidation]
steps:
- task: AzureCLI#2
displayName: Deploy Bicep To Azure
inputs:
azureSubscription: "365response-tfssc-dev"
scriptType: "bash"
scriptLocation: "inlineScript"
inlineScript: |
az deployment group create --resource-group rg-365Response-$(env)-001 \
--template-file '$(System.DefaultWorkingDirectory)\bicep\365Response.main.bicep' \
--parameters '$(System.DefaultWorkingDirectory)\bicep\365Response.parameters.$(env).json' \
If I run this from the terminal window of vs code then it works ok.
When this job runs it gives the following message:
/usr/bin/az account set --subscription 'correct subscription id is
listed here' /usr/bin/bash
/home/vsts/work/_temp/azureclitaskscript1654444101122.sh ERROR:
unrecognized arguments:
ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_SERVICEMANAGEMENTURL=https://m...
this line is very very long
The very long line is as follows:
ERROR: unrecognized arguments: ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_SERVICEMANAGEMENTURL=https://management.core.windows.net/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ENVIRONMENT=AzureCloud ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ARMMANAGEMENTPORTALURL=https://portal.azure.com/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_MANAGEMENTPORTALURL=https://manage.windowsazure.com/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_GALLERYURL=https://gallery.azure.com/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_SUBSCRIPTIONID=subIdHere ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8={"environment":"AzureCloud","scopeLevel":"Subscription","subscriptionId":"subIdHere","subscriptionName":"dev-001","creationMode":"Manual","environmentUrl":"https://management.azure.com/","galleryUrl":"https://gallery.azure.com/","serviceManagementUrl":"https://management.core.windows.net/","resourceManagerUrl":"https://management.azure.com/","activeDirectoryAuthority":"https://login.microsoftonline.com/","environmentAuthorityUrl":"https://login.windows.net/","graphUrl":"https://graph.windows.net/","managementPortalUrl":"https://manage.windowsazure.com/","armManagementPortalUrl":"https://portal.azure.com/","activeDirectoryServiceEndpointResourceId":"https://management.core.windows.net/","sqlDatabaseDnsSuffix":".database.windows.net","AzureKeyVaultDnsSuffix":"vault.azure.net","AzureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","StorageEndpointSuffix":"core.windows.net","EnableAdfsAuthentication":"false"} ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_SQLDATABASEDNSSUFFIX=.database.windows.net ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ENVIRONMENTAUTHORITYURL=https://login.windows.net/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_CREATIONMODE=Manual ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_AZUREKEYVAULTSERVICEENDPOINTRESOURCEID=https://vault.azure.net ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_SUBSCRIPTIONNAME=dev-001 ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_AZUREKEYVAULTDNSSUFFIX=vault.azure.net ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_SCOPELEVEL=Subscription agent.jobstatus=Succeeded ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ACTIVEDIRECTORYSERVICEENDPOINTRESOURCEID=https://management.core.windows.net/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_GRAPHURL=https://graph.windows.net/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ENVIRONMENTURL=https://management.azure.com/ ENDPOINT_URL_7940768d-1de7-44d9-92bf-05d293639bc8=https://management.azure.com/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ACTIVEDIRECTORYAUTHORITY=https://login.microsoftonline.com/ ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_ENABLEADFSAUTHENTICATION=false ENDPOINT_DATA_7940768d-1de7-44d9-92bf-05d293639bc8_RESOURCEMANAGERURL=https://management.azure.com/ SELENIUM_JAR_PATH=/usr/share/java/selenium-server.jar COMMON_TESTRESULTSDIRECTORY=/home/vsts/work/1/TestResults GOROOT_1_17_X64=/opt/hostedtoolcache/go/1.17.10/x64 CONDA=/usr/share/miniconda SYSTEM_JOBNAME=__default AGENT_RETAINDEFAULTENCODING=false JAVA_HOME_11_X64=/usr/lib/jvm/temurin-11-jdk-amd64 SYSTEM_PIPELINESTARTTIME=2022-06-05 15:48:16+00:00 AZURE_CONFIG_DIR=/home/vsts/work/_temp/.azclitask SYSTEM_TASKINSTANCENAME=AzureCLI AGENT_HOMEDIRECTORY=/home/vsts/agents/2.204.0 AGENT_TEMPDIRECTORY=/home/vsts/work/_temp BUILD_REQUESTEDFOREMAIL=aza.'my email here' VSTS_PROCESS_LOOKUP_ID=vsts_8ec9ddb3-be14-4d39-96fe-b09bdd94b311 SYSTEM_COLLECTIONURI=https://dev.azure.com/idsservicesbeta/ BUILD_DEFINITIONNAME=Scaffolding (1) ENDPOINT_URL_SYSTEMVSSCONNECTION=https://dev.azure.com/idsservicesbeta/ JAVA_HOME=/usr/lib/jvm/temurin-11-jdk-amd64 GRADLE_HOME=/usr/share/gradle-7.4.2 SYSTEM_STAGENAME=deployBicep SYSTEM_JOBPARALLELISMTAG=Private AGENT_OS=Linux BUILD_BUILDURI=vstfs:///Build/Build/1755 AGENT_JOBNAME=deploy bicep to Azure XDG_CONFIG_HOME=/home/vsts/.config DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 BUILD_REPOSITORY_URI=https://idsservicesbeta#dev.azure.com/idsservicesbeta/365-Response/_git/Scaffolding ANT_HOME=/usr/share/ant RESOURCES_TRIGGERINGALIAS= JAVA_HOME_8_X64=/usr/lib/jvm/temurin-8-jdk-amd64 BUILD_DEFINITIONVERSION=1 HOMEBREW_PREFIX=/home/linuxbrew/.linuxbrew RUNNER_TOOLSDIRECTORY=/opt/hostedtoolcache SYSTEM_SERVERTYPE=Hosted AGENT_USEWORKSPACEID=true BUILD_REQUESTEDFORID=08c91bb3-5fb2-6b27-a830-47c6829ed7f8 SYSTEM_JOBIDENTIFIER=deployBicep.deployAzure.__default SYSTEM_ARTIFACTSDIRECTORY=/home/vsts/work/1/a AGENT_VERSION=2.204.0 HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS=3650 BUILD_SOURCEVERSIONAUTHOR=BizTalkers SYSTEM_JOBDISPLAYNAME=deploy bicep to Azure BUILD_REPOSITORY_NAME=Scaffolding BOOTSTRAP_HASKELL_NONINTERACTIVE=1 PWD=/home/vsts/work/1/s PIPX_BIN_DIR=/opt/pipx_bin BUILD_ARTIFACTSTAGINGDIRECTORY=/home/vsts/work/1/a AGENT_ACCEPTTEEEULA=True BUILD_SOURCEBRANCHNAME=main AGENT_UPLOADTIMELINEATTACHMENTSTOBLOB=true TASK_DISPLAYNAME=Deploy Bicep To Azure BUILD_CONTAINERID=27996509 ANDROID_NDK_LATEST_HOME=/usr/local/lib/android/sdk/ndk/23.2.8568313 RESOURCES_TRIGGERINGCATEGORY= POWERSHELL_DISTRIBUTION_CHANNEL=Azure-DevOps-ubuntu20 SYSTEM_STAGEDISPLAYNAME=deployBicep SYSTEM_PLANID=6892c8d0-c78e-4c67-b035-05b3489e50dc SYSTEM_POSTLINESSPEED=500 BUILD_BUILDNUMBER=Deploy Bicep files 1755 DOTNET_MULTILEVEL_LOOKUP=0 BUILD_REPOSITORY_LOCALPATH=/home/vsts/work/1/s VSTS_AGENT_PERFLOG=/home/vsts/perflog HOME=/home/vsts LANG=C.UTF-8 BUILD_REPOSITORY_PROVIDER=TfsGit STATS_KEEPALIVE=false SYSTEM_TIMELINEID=6892c8d0-c78e-4c67-b035-05b3489e50dc SYSTEM_PHASEDISPLAYNAME=deploy bicep to Azure SYSTEM_TASKDEFINITIONSURI=https://dev.azure.com/idsservicesbeta/ BUILD_STAGINGDIRECTORY=/home/vsts/work/1/a SYSTEM_HOSTTYPE=build AGENT_WORKFOLDER=/home/vsts/work SYSTEM_STAGEID=bc4f992b-d3a8-5fa4-4306-364494a1b562 SYSTEM_DEFINITIONID=45 INVOCATION_ID=ddfbd830e49e4577879f4d283f4ac321 INPUT_SCRIPTARGUMENTS= AGENT_DISABLELOGPLUGIN_TESTFILEPUBLISHERPLUGIN=true TF_BUILD=True JAVA_HOME_17_X64=/usr/lib/jvm/temurin-17-jdk-amd64 AGENT_TASKRESTRICTIONSENFORCEMENTMODE=Enabled AGENT_ROOTDIRECTORY=/home/vsts/work SYSTEM_JOBATTEMPT=1 ANDROID_NDK_HOME=/usr/local/lib/android/sdk/ndk-bundle SYSTEM_DEFINITIONNAME=Scaffolding (1) HOMEBREW_NO_AUTO_UPDATE=1 BUILD_BINARIESDIRECTORY=/home/vsts/work/1/b NVM_DIR=/home/vsts/.nvm SGX_AESM_ADDR=1 SYSTEM_PHASEATTEMPT=1 SYSTEM_ENABLEACCESSTOKEN=SecretVariable SYSTEM_TEAMFOUNDATIONSERVERURI=https://dev.azure.com/idsservicesbeta/ SYSTEM_TASKDISPLAYNAME=Deploy Bicep To Azure BUILD_BUILDID=1755 TEMPLATEFILE=bicep/365Response.main.json BUILD_REPOSITORY_ID=92e4e7ea-8e17-425b-ad1c-899f9922bc0f AGENT_NAME=Hosted Agent ANDROID_HOME=/usr/local/lib/android/sdk SYSTEM_JOBPOSITIONINPHASE=1 AGENT_MACHINENAME=fv-az414-868 ACCEPT_EULA=Y SYSTEM_PULLREQUEST_ISFORK=False SYSTEM_JOBTIMEOUT=60 SYSTEM_TEAMPROJECTID=4009b106-170a-496d-9af8-9ec836b38dc3 SYSTEM_COLLECTIONID=b3e27278-2d93-48a2-af86-fa3370179011 USER=vsts SYSTEM_TEAMPROJECT=365-Response HOMEBREW_CELLAR=/home/linuxbrew/.linuxbrew/Cellar BUILD_SOURCEVERSION=715f5872b0f65eade29314d0f30bf57a3f191896 PIPX_HOME=/opt/pipx AGENT_DISABLELOGPLUGIN_TESTRESULTLOGPLUGIN=true SYSTEM_PHASEID=f1ebf77f-30ac-526d-968c-fab23fa199f8 GECKOWEBDRIVER=/usr/local/share/gecko_driver BUILD_REASON=Manual SYSTEM_STAGEATTEMPT=1 CHROMEWEBDRIVER=/usr/local/share/chrome_driver SHLVL=0 SYSTEM=build ANDROID_SDK_ROOT=/usr/local/lib/android/sdk VCPKG_INSTALLATION_ROOT=/usr/local/share/vcpkg HOMEBREW_REPOSITORY=/home/linuxbrew/.linuxbrew/Homebrew ImageVersion=20220529.1 BUILD_SOURCEBRANCH=refs/heads/main AZURE_HTTP_USER_AGENT=VSTS_b3e27278-2d93-48a2-af86-fa3370179011_build_45_0 DOTNET_NOLOGO=1 BUILD_SOURCESDIRECTORY=/home/vsts/work/1/s MSDEPLOY_HTTP_USER_AGENT=VSTS_b3e27278-2d93-48a2-af86-fa3370179011_build_45_0 TASK_SKIPTRANSLATORFORCHECKOUT=False SYSTEM_CULTURE=en-US SYSTEM_WORKFOLDER=/home/vsts/work STATS_PFS=true GRAALVM_11_ROOT=/usr/local/graalvm/graalvm-ce-java11-22.1.0 AGENT_READONLYVARIABLES=true AGENT_ID=8 BUILD_QUEUEDBYID=08c91bb3-5fb2-6b27-a830-47c6829ed7f8 AZURE_EXTENSION_DIR=/opt/az/azcliextensions AGENT_BUILDDIRECTORY=/home/vsts/work/1 BUILD_REQUESTEDFOR=Rob Bowman ANDROID_NDK_ROOT=/usr/local/lib/android/sdk/ndk-bundle CHROME_BIN=/usr/bin/google-chrome AGENT_UPLOADBUILDARTIFACTSTOBLOB=true SYSTEM_DEFAULTWORKINGDIRECTORY=/home/vsts/work/1/s GOROOT_1_18_X64=/opt/hostedtoolcache/go/1.18.2/x64 JOURNAL_STREAM=8:23147 AGENT_OSARCHITECTURE=X64 LEIN_HOME=/usr/local/lib/lein LEIN_JAR=/usr/local/lib/lein/self-installs/leiningen-2.9.8-standalone.jar SYSTEM_ISSCHEDULED=False BUILD_REPOSITORY_GIT_SUBMODULECHECKOUT=False PATH=/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:/home/vsts/.local/bin:/opt/pipx_bin:/home/vsts/.cargo/bin:/home/vsts/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/vsts/.dotnet/tools:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin SYSTEM_JOBID=d562b731-90ac-599c-aa5d-b4e5e0c32cf4 BUILD_QUEUEDBY=Rob Bowman SWIFT_PATH=/usr/share/swift/usr/bin PIPELINE_WORKSPACE=/home/vsts/work/1 ImageOS=ubuntu20 BUILD_SOURCEVERSIONMESSAGE=ubuntu-latest SYSTEM_TEAMFOUNDATIONCOLLECTIONURI=https://dev.azure.com/idsservicesbeta/ AGENT_LOGTOBLOBSTORAGESERVICE=true LOCATION=uksouth SYSTEM_TASKINSTANCEID=44b963b8-127f-5c06-baab-44a1330fee42 AGENT_JOBSTATUS=Succeeded DEBIAN_FRONTEND=noninteractive GIT_TERMINAL_PROMPT=0 AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache SYSTEM_PHASENAME=deployAzure OLDPWD=/home/vsts/work/1/s SYSTEM_TOTALJOBSINPHASE=1 GOROOT_1_16_X64=/opt/hostedtoolcache/go/1.16.15/x64 _=/usr/bin/env-001
Anyone see where I've gone wrong?
Please check if your service connection's Azure AD service principal has access to the Azure subscription you are trying to deploy to. Your error message doesn't really look like that, but the error message is not fully shown in your question. (That "very long" error message can be very important. ;) )
Most likely you should debug the az deployment group create ... script locally with the variable values replaced for yourself manually, and see if you can reproduce the error. That would mean that Azure Pipelines has nothing to do with this, you should just make your deployment instruction work and all will be good.
If #1 is not applicable for you (e.g. your deployment instruction is working totally fine locally but it is still failing in the pipeline), my recommendation is to look into Azure CLI version on the pipelines agent vs. the one you need and maybe add az Azure CLI upgrade/downgrade task to suit your needs.
For example, we have used these 2 steps to update AzureCLI when the MS hosted agent version contained a bug.
- script: sudo apt-get update
- task: AzureCLI#2
inputs:
azureSubscription: ${{ parameters.armServiceConnection }}
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |-
az --version
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az --version
Problem was using ubuntu image - should have been windows-2022
I have a DevOps pipeline that gives me this error:
There was a resource authorization issue: "The pipeline is not valid. Job ExecutionTerraform: Step AzureCLI input connectedServiceNameARM references service connection Azure: $(subscriptionName) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."
The configuration I am using is looking up the Subscription name dynamically.
The step I use for that is:
- bash: |
# pull the subscription data
# ... read data into local variables
# set the shared variables
echo "##vso[task.setvariable variable=subscriptionId]${SUBSCRIPTION_ID}"
echo "##vso[task.setvariable variable=subscriptionName]${SUBSCRIPTION_NAME}"
From there I attempt to call the Azure CLI via a template:
- template: execution-cli.yml
parameters:
azureSubscriptionId: $(subscriptionId)
azureSubscriptionName: $(subscriptionName)
Inside the template my CLI step uses:
steps:
- task: AzureCLI#2
displayName: Test CLI
inputs:
azureSubscription: "ARMTest ${{ parameters.azureSubscriptionName }}"
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az --version
addSpnToEnvironment: true
useGlobalConfig: true
It looks like Pipelines is trying to preemptively check authorization without noticing that there's a variable in there. What am I doing wrong here that is causing Azure to attempt to resolve that at the wrong time?
I do this in other pipelines without issues and I am not sure what is different in this particular instance.
Update 1: Working Template I have Elsewhere
Full template:
parameters:
- name: environment
type: string
jobs:
- job: AKSCredentials
displayName: "AKS Credentials Pull"
steps:
- task: AzureCLI#2
displayName: AKS Credentials
inputs:
azureSubscription: "Azure: testbed-${{ parameters.environment }}"
scriptType: bash
scriptLocation: inlineScript
inlineScript: az aks get-credentials -g testbed-${{ parameters.environment }} -n testbed-${{ parameters.environment }}-aks
addSpnToEnvironment: true
useGlobalConfig: true
This is not possible because azure subscription needs to be known at compilation time. You set your variable on run time.
Here an issue with similar case when it is explained:
run time variables aren't supported for service connection OR azure subscription. In your code sample, you are referring to AzureSubscription variable which will get initialized at the run time (but not at save time). Your syntax is correct but you need to set AzureSubscription variable as part of variables.
If you define your variables like:
variables:
subscriptionId: someValue
subscriptionName: someValue
and then you will use it
- template: execution-cli.yml
parameters:
azureSubscriptionId: $(subscriptionId)
azureSubscriptionName: $(subscriptionName)
it should work. But since you set up your variables on runtime it causes your issue.
I am trying to run an Azure CLI task in pipeline and getting the following error :
Starting: AzureCLI
==============================================================================
Task : Azure CLI
Description : Run Azure CLI commands against an Azure subscription in a PowerShell
Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
Version : 2.1.0
Author : Microsoft Corporation
Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
==============================================================================
##[error]Script failed with error: Error: Unable to locate executable file: 'powershell'. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.
Finishing: AzureCLI
The pre-requisites mentioned in https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-cli?view=azure-devops is fulfilled.
**Pre-requisites mentioned in the ms site :**
Microsoft hosted agents have Azure CLI pre-installed. However if you are using private agents, install Azure CLI on the computer(s) that run the build and release agent. If an agent is already running on the machine on which the Azure CLI is installed, restart the agent to ensure all the relevant stage variables are updated.
I am not using any private agents. I am using a free subscription.
The task in pipeline yaml is as :
- task: AzureCLI#2
inputs:
azureSubscription: 'Free Trial(<My Subscription id>)'
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
az --version
az account show
Why is the agent not able to find powershell in its system!!
Is this a bug?
Thanks!
I think you might be using a Linux agent such as 'ubuntu-latest'. Try changing it back to AzureCLI#2 and set scriptType: pscore. scriptType: ps doesn't work on Linux.
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: 'sc-name'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az account show
Hi try without "scriptType" and change the CLI version to 1, Please see the below script,
- task: AzureCLI#1
inputs:
azureSubscription: 'Free Trial(<My Subscription id>)'
scriptLocation: 'inlineScript'
inlineScript: |
az --version
az account show
Trying to dynamically retrieve all the variables from a variable group via Azure DevOps task in a YAML Pipeline. Originally tried leveraging the AzureCLI#2 task with the following code to retrieve the variableGroupID which would be used to get the variables inside of it:
$variableGroupId = $(az pipelines variable-group list --org $(System.CollectionUri) --project $(System.TeamProject) --query "[?name=='{{ parameters.variableGroupName }}'].id" -o tsv)
This command works locally but not when executing on a MS hosted agent like this:
parameters:
variableGroupName: ''
steps:
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: ${{ parameters.azureSubscriptionName }}
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az upgrade
$variableGroupId = $(az pipelines variable-group list --org $(System.CollectionUri) --project $(System.TeamProject) --query "[?name=='{{ parameters.variableGroupName }}'].id" -o tsv)
write-Host $variableGroupId
$variables = $(az pipelines variable-group variable list --group-id $variableGroupId --org $(System.CollectionUri) --project $(System.TeamProject) -o yaml)
write-Host $variables
This fails with the error:
Before you can run Azure DevOps commands, you need to run the login command (az login if using AAD/MSA identity else az devops login if using PAT token) to setup credentials. Please see https://aka.ms/azure-devops-cli-auth for more information
I have opened up an issue
In the meantime, I tried to run the commands to install the necessary pieces via scripts
strategy:
runOnce:
deploy:
steps:
- task: AzureRmWebAppDeployment#3
inputs:
azureSubscription: Example - Dev
WebAppName: wapp-Example-dev-eus
Package: $(Pipeline.Workspace)/drop/Web.Example.zip
TakeAppOfflineFlag: True
- task: UsePythonVersion#0
inputs:
versionSpec: '3.x'
architecture: 'x64'
- task: CmdLine#2
displayName: 'Upgrade pip'
inputs:
script: python -m pip install --upgrade pip
- task: CmdLine#2
displayName: 'upgrade azure cli'
inputs:
script: pip install --pre azure-cli --extra-index-url https://azurecliprod.blob.core.windows.net/edge
- task: CmdLine#2
displayName: 'Show Azure CLI version'
inputs:
script: az --version
- task: CmdLine#2
displayName: 'Install Azure DevOps Extension'
inputs:
script: az extension add -n azure-devops
- task: CmdLine#2
env:
AZURE_DEVOPS_CLI_PAT: $(patCredential)
displayName: 'Login Azure DevOps Extension'
inputs:
script: echo ${AZURE_DEVOPS_CLI_PAT} | az devops login
- task: CmdLine#2
displayName: 'Show List of Variables'
inputs:
script: |
$variableGroupId = $(az pipelines variable-group list --org $(System.CollectionUri) --project $(System.TeamProject) --query "[?name=='{{ parameters.variableGroupName }}'].id" -o tsv)
write-Host $variableGroupId
$variables = $(az pipelines variable-group variable list --group-id $variableGroupId --org $(System.CollectionUri) --project $(System.TeamProject) -o yaml)
write-Host $variables
However, when using both latest Ubuntu agents and those designated in the doc get an error:
WARNING: Failed to store PAT using keyring; falling back to file storage.
WARNING: You can clear the stored credential by running az devops logout.
WARNING: Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.
I have opened up an issue with the documentation team as at the very least the provided steps do not work. Any assistance would be appreciated!
I was getting the same error, and was able to get mine working by adding:
echo $(System.AccessToken) | az devops login
to the top of my inline script. Here's what it looks like:
variables:
variableGroupName: 'my-variable-group'
...
- task: AzureCLI#2
displayName: 'Set environment variables'
inputs:
azureSubscription: '$(azureSubscription)'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
echo $(System.AccessToken) | az devops login
$groupId = (az pipelines variable-group list `
--organization $(System.CollectionUri) `
--project $(System.TeamProject) `
--group-name $(variableGroupName) | ConvertFrom-Json).id
...
You can use the REST API instead of Azure CLI to get the information. It can be used with the standard tools already present on the Microsoft Hosted agents. It requires only vanilla powershell or powershell core, meaning to works on both windows and linux agents. The below example was successfully tested on windows-latest/windows-2019 and ubuntu-latest/ubuntu-20.04
The approach is the same as with Azure CLI.
List all available groups filtered by name to retrieve the variable group in question
Get all variables in the variable group using the variable group id from step
In fact, the pipeline also has an out of the box PAT token available with read access to variable groups. It is stored in the variable System.AccessToken. Using that instead of a manually managed one will further simplify things.
The script below is executed in a pwsh step, which is the built in Powershell task in Powershell core mode
- pwsh: |
# Construct PAT authentication header
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f "user",$env:SYSTEM_ACCESSTOKEN)))
$headers = #{Authorization=("Basic {0}" -f $base64AuthInfo)}
# Retrieve variable group id. Filter the result by setting the groupName query parameter
$variableGroupId = $(Invoke-RestMethod -Headers $headers "$(System.CollectionUri)$(System.TeamProject)/_apis/distributedtask/variablegroups?groupName=${{ parameters.variableGroupName }}&api-version=6.0-preview.2").value[0].id
# Retrieve variables in variable group with id $variableGroupId
$variables = $(Invoke-RestMethod -Headers $headers "$(System.CollectionUri)$(System.TeamProject)/_apis/distributedtask/variablegroups/${variableGroupId}?api-version=6.0-preview.2").variables
#Print variables as json (for demo purpose)
$variables | ConvertTo-Json
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
displayName: 'Retrieve variables'
Testing the above pipeline in a project on a variable group with two variables yields the following output:
{
"Variable 1": {
"value": "Value 1"
},
"Variable 2": {
"value": "Value 2"
}
}
I'm getting the following error while trying to use the Azure CLI task in my DevOps YAML pipeline:
"An error occurred while loading the YAML build pipeline. wrong number of segments"
I'm following this documentation, running on a self-hosted Windows agent with Azure CLI and PowerShell Core installed.
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: MyServiceName
scriptType: pscore
scriptLocation: inlineScript
inlineScript: az --version
UPDATED: There are no other tasks in the file and it is valid. As an experiment I changed the task to AzureCLI#1 and it worked (v1 does not include Script Type):
- task: AzureCLI#1
displayName: Azure CLI
inputs:
azureSubscription: MyServiceName
scriptLocation: inlineScript
inlineScript: az --version
If a task is referenced by a wrong version number, we could get the error message: An error occurred while loading the YAML build pipeline. wrong number of segments
As a workaround, downgraded the task AzureCLI to version 1, then the task will run successfully.
Note: michaelrp has raised this issue in the GitHub, please follow this ticket to get the latest news.
As michaelrp found the issue was version 2 of AzureCLI task. When he downgraded to version 1, the error goes away. It appers only on self hosted agent.
This is caused by some issue with your YAML file. Please validate your YAML file and make sure it passes
It can be caused also by wrong number of task which is fine here AzureCLI#2.
It could be also an issue with service connection, please make sure you use valid.
To give you an better answer I need to see your full YAML file.
I tested this and all went fine:
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureCLI#2
inputs:
azureSubscription: 'rg-the-code-manual'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: 'az --version'