diff --git a/Tasks/AzureCLIV1/Strings/resources.resjson/en-US/resources.resjson b/Tasks/AzureCLIV1/Strings/resources.resjson/en-US/resources.resjson index 20b3170150d0..a080b1ac4f3b 100644 --- a/Tasks/AzureCLIV1/Strings/resources.resjson/en-US/resources.resjson +++ b/Tasks/AzureCLIV1/Strings/resources.resjson/en-US/resources.resjson @@ -16,7 +16,7 @@ "loc.input.label.args": "Arguments", "loc.input.help.args": "Arguments passed to the script", "loc.input.label.addSpnToEnvironment": "Access service principal details in script", - "loc.input.help.addSpnToEnvironment": "Adds service principal id and key of the Azure endpoint you chose to the script's execution environment. You can use these variables: `$servicePrincipalId` and `$servicePrincipalKey` in your script", + "loc.input.help.addSpnToEnvironment": "Adds service principal id and key of the Azure endpoint you chose to the script's execution environment. You can use these variables: `$servicePrincipalId` and `$servicePrincipalKey` in your script.\n\nThis is honored only when the Azure endpoint has Service Principal authentication scheme.", "loc.input.label.useGlobalConfig": "Use global Azure CLI configuration", "loc.input.help.useGlobalConfig": "If this is false, this task will use its own separate [Azure CLI configuration directory](https://docs.microsoft.com/en-us/cli/azure/azure-cli-configuration?view=azure-cli-latest#cli-configuration-file). This can be used to run Azure CLI tasks in *parallel* releases", "loc.input.label.cwd": "Working Directory", @@ -29,6 +29,8 @@ "loc.messages.AzureSDKNotFound": "Azure CLI 2.x is not installed on this machine.", "loc.messages.FailedToLogout": "The following error occurred while logging out: %s", "loc.messages.LoginFailed": "Azure login failed", + "loc.messages.MSILoginFailed": "Azure login failed using Managed Service Identity", + "loc.messages.AuthSchemeNotSupported": "Auth Scheme %s is not supported", "loc.messages.ErrorInSettingUpSubscription": "Error in setting up subscription", "loc.messages.SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s", "loc.messages.SettingAzureCloud": "Setting active cloud to: %s", diff --git a/Tasks/AzureCLIV1/azureclitask.ts b/Tasks/AzureCLIV1/azureclitask.ts index afce6b9ee269..fe4385986115 100644 --- a/Tasks/AzureCLIV1/azureclitask.ts +++ b/Tasks/AzureCLIV1/azureclitask.ts @@ -61,12 +61,13 @@ export class azureclitask { // set az cli config dir this.setConfigDirectory(); this.setAzureCloudBasedOnServiceEndpoint(); - this.loginAzure(); + var connectedService: string = tl.getInput("connectedServiceNameARM", true); + this.loginAzureRM(connectedService); tool.line(args); // additional args should always call line. line() parses quoted arg strings var addSpnToEnvironment = tl.getBoolInput("addSpnToEnvironment", false); - if (!!addSpnToEnvironment) { + if (!!addSpnToEnvironment && tl.getEndpointAuthorizationScheme(connectedService, true) == "ServicePrincipal") { await tool.exec({ failOnStdErr: failOnStdErr, env: { ...process.env, ...{ servicePrincipalId: this.servicePrincipalId, servicePrincipalKey: this.servicePrincipalKey } } @@ -116,37 +117,43 @@ export class azureclitask { private static servicePrincipalId: string = null; private static servicePrincipalKey: string = null; - private static loginAzure() { - var connectedService: string = tl.getInput("connectedServiceNameARM", true); - this.loginAzureRM(connectedService); - } - private static loginAzureRM(connectedService: string): void { - var servicePrincipalId: string = tl.getEndpointAuthorizationParameter(connectedService, "serviceprincipalid", false); - let authType: string = tl.getEndpointAuthorizationParameter(connectedService, 'authenticationType', true); - let cliPassword: string = null; - if (authType == "spnCertificate") { - tl.debug('certificate based endpoint'); - let certificateContent: string = tl.getEndpointAuthorizationParameter(connectedService, "servicePrincipalCertificate", false); - cliPassword = path.join(tl.getVariable('Agent.TempDirectory') || tl.getVariable('system.DefaultWorkingDirectory'), 'spnCert.pem'); - fs.writeFileSync(cliPassword, certificateContent); - this.cliPasswordPath = cliPassword; + var authScheme: string = tl.getEndpointAuthorizationScheme(connectedService, true); + var subscriptionID: string = tl.getEndpointDataParameter(connectedService, "SubscriptionID", true); + + if(authScheme.toLowerCase() == "serviceprincipal") { + let authType: string = tl.getEndpointAuthorizationParameter(connectedService, 'authenticationType', true); + let cliPassword: string = null; + var servicePrincipalId: string = tl.getEndpointAuthorizationParameter(connectedService, "serviceprincipalid", false); + if (authType == "spnCertificate") { + tl.debug('certificate based endpoint'); + let certificateContent: string = tl.getEndpointAuthorizationParameter(connectedService, "servicePrincipalCertificate", false); + cliPassword = path.join(tl.getVariable('Agent.TempDirectory') || tl.getVariable('system.DefaultWorkingDirectory'), 'spnCert.pem'); + fs.writeFileSync(cliPassword, certificateContent); + this.cliPasswordPath = cliPassword; + + } + else { + tl.debug('key based endpoint'); + cliPassword = tl.getEndpointAuthorizationParameter(connectedService, "serviceprincipalkey", false); + this.servicePrincipalId = servicePrincipalId; + this.servicePrincipalKey = cliPassword; + } + var tenantId: string = tl.getEndpointAuthorizationParameter(connectedService, "tenantid", false); + + //login using svn + this.throwIfError(tl.execSync("az", "login --service-principal -u \"" + servicePrincipalId + "\" -p \"" + cliPassword + "\" --tenant \"" + tenantId + "\""), tl.loc("LoginFailed")); } - else { - tl.debug('key based endpoint'); - cliPassword = tl.getEndpointAuthorizationParameter(connectedService, "serviceprincipalkey", false); - this.servicePrincipalId = servicePrincipalId; - this.servicePrincipalKey = cliPassword; + else if(authScheme.toLowerCase() == "managedserviceidentity") { + //login using msi + this.throwIfError(tl.execSync("az", "login --identity"), tl.loc("MSILoginFailed")); + } + else{ + throw tl.loc('AuthSchemeNotSupported', authScheme); } - var tenantId: string = tl.getEndpointAuthorizationParameter(connectedService, "tenantid", false); - var subscriptionID: string = tl.getEndpointDataParameter(connectedService, "SubscriptionID", true); - - //login using svn - this.throwIfError(tl.execSync("az", "login --service-principal -u \"" + servicePrincipalId + "\" -p \"" + cliPassword + "\" --tenant \"" + tenantId + "\""), tl.loc("LoginFailed")); this.isLoggedIn = true; - //set the subscription imported to the current subscription this.throwIfError(tl.execSync("az", "account set --subscription \"" + subscriptionID + "\""), tl.loc("ErrorInSettingUpSubscription")); } diff --git a/Tasks/AzureCLIV1/task.json b/Tasks/AzureCLIV1/task.json index 0b283f54893b..3c6cb7dc0074 100644 --- a/Tasks/AzureCLIV1/task.json +++ b/Tasks/AzureCLIV1/task.json @@ -19,8 +19,8 @@ "demands": [], "version": { "Major": 1, - "Minor": 144, - "Patch": 4 + "Minor": 147, + "Patch": 0 }, "minimumAgentVersion": "2.0.0", "instanceNameFormat": "Azure CLI $(scriptPath)", @@ -97,7 +97,7 @@ "label": "Access service principal details in script", "defaultValue": "false", "required": false, - "helpMarkDown": "Adds service principal id and key of the Azure endpoint you chose to the script's execution environment. You can use these variables: `$servicePrincipalId` and `$servicePrincipalKey` in your script", + "helpMarkDown": "Adds service principal id and key of the Azure endpoint you chose to the script's execution environment. You can use these variables: `$servicePrincipalId` and `$servicePrincipalKey` in your script.\n\nThis is honored only when the Azure endpoint has Service Principal authentication scheme.", "groupName": "advanced" }, { @@ -144,6 +144,8 @@ "AzureSDKNotFound": "Azure CLI 2.x is not installed on this machine.", "FailedToLogout": "The following error occurred while logging out: %s", "LoginFailed": "Azure login failed", + "MSILoginFailed": "Azure login failed using Managed Service Identity", + "AuthSchemeNotSupported": "Auth Scheme %s is not supported", "ErrorInSettingUpSubscription": "Error in setting up subscription", "SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s", "SettingAzureCloud": "Setting active cloud to: %s", diff --git a/Tasks/AzureCLIV1/task.loc.json b/Tasks/AzureCLIV1/task.loc.json index 01c371ab0bf2..d41347d7d127 100644 --- a/Tasks/AzureCLIV1/task.loc.json +++ b/Tasks/AzureCLIV1/task.loc.json @@ -4,6 +4,7 @@ "friendlyName": "ms-resource:loc.friendlyName", "description": "ms-resource:loc.description", "author": "Microsoft Corporation", + "helpUrl": "http://go.microsoft.com/fwlink/?LinkID=827160", "helpMarkDown": "ms-resource:loc.helpMarkDown", "releaseNotes": "ms-resource:loc.releaseNotes", "category": "Deploy", @@ -18,8 +19,8 @@ "demands": [], "version": { "Major": 1, - "Minor": 144, - "Patch": 4 + "Minor": 147, + "Patch": 0 }, "minimumAgentVersion": "2.0.0", "instanceNameFormat": "ms-resource:loc.instanceNameFormat", @@ -143,6 +144,8 @@ "AzureSDKNotFound": "ms-resource:loc.messages.AzureSDKNotFound", "FailedToLogout": "ms-resource:loc.messages.FailedToLogout", "LoginFailed": "ms-resource:loc.messages.LoginFailed", + "MSILoginFailed": "ms-resource:loc.messages.MSILoginFailed", + "AuthSchemeNotSupported": "ms-resource:loc.messages.AuthSchemeNotSupported", "ErrorInSettingUpSubscription": "ms-resource:loc.messages.ErrorInSettingUpSubscription", "SettingAzureConfigDir": "ms-resource:loc.messages.SettingAzureConfigDir", "SettingAzureCloud": "ms-resource:loc.messages.SettingAzureCloud",