Active Directory 租户中的 ServicePrincipalNotFound *** - 从 Azure DevOps 在 Powershell 中传递安全变量

ServicePrincipalNotFound in Active Directory tenant *** - Passing secure variables in Powershell from Azure DevOps

我正在执行一个 ARM 模板,该模板从 Azure 资源组部署任务创建 Azure Kubernetes 服务和其他资源。

我的 ARM 模板有参数 servicePrincipalClientIdservicePrincipalClientSecret 敏感数据,用于创建 Azure Kubernetes 集群,只是 right here。 (这个link就是我完整的ARM模板)

所以,我正在做的是:

$env:secretServicePrincipalClientId = ConvertTo-SecureString '$($env:servicePrincipalClientId)' -AsPlainText -Force

$env:secretServicePrincipalClientSecret = ConvertTo-SecureString '$($env:servicePrincipalClientSecret)' -AsPlainText -Force

我在这里引用 secretServicePrincipalClientIdsecretServicePrincipalClientSecret 变量,我在我的第一个 azure devops 中将 servicePrincipalClientIdservicePrincipalClientSecret 变量值转换为上面的安全字符串任务

-servicePrincipalClientId $($secretServicePrincipalClientId) 
-servicePrincipalClientSecret $($secretServicePrincipalClientSecret) 
   .
   .
-serviceCidr "100.0.0.0/16" 
-dnsServiceIP "100.0.0.10" 
-dockerBridgeCidr "172.17.0.1/16" 
   .
   .

所以,当我执行发布管道时,我在 Azure 资源组部署任务中遇到了这个错误

2019-10-26T20:05:13.3246017Z The detected encoding for file 'd:\a\r1\a\Project\Deployments\ARMTemplates\Infrastructure\AzResourceGroupDeploymentApproach\testing.json' is 'utf-8'
2019-10-26T20:05:13.3410693Z Starting Deployment.
2019-10-26T20:05:13.3412081Z Deployment name is AzureDevOpsDeployment


2019-10-26T20:05:18.1729784Z There were errors in your deployment. Error code: InvalidTemplateDeployment.
2019-10-26T20:05:18.1730624Z ##[error]The template deployment 'AzureDevOpsDeployment' is not valid according to the validation procedure. The tracking id is 'xxxxxxx'. See inner errors for details.
2019-10-26T20:05:18.1731223Z ##[error]Details:


2019-10-26T20:05:18.1732062Z ##[error]ServicePrincipalNotFound: Provisioning of resource(s) for container service KubernetesCluster-aks in resource group testing failed. Message: {
  "code": "ServicePrincipalNotFound",
  "message": "Service principal clientID: $($secretServicePrincipalClientId) not found in Active Directory tenant ***, Please see https://aka.ms/aks-sp-help for more details."
 }. Details: 

2019-10-26T20:05:18.1733305Z ##[error]Task failed while creating or updating the template deployment.
2019-10-26T20:05:18.1765718Z ##[section]Finishing: Azure Deployment:Create Or Update Resource Group action on testing

我用来连接到 Azure 云的服务主体似乎不存在,但事实并非如此。该服务主体存在。

如果我在任务中直接以纯文本形式包含 servicePrincipalClientIdservicePrincipalClientSecret

-servicePrincipalClientId <servicePrincipalClientId-value> 
-servicePrincipalClientSecret <servicePrincipalClientSecret-value> 

Azure 资源组任务有效,ARM 模板中的资源从 Azure DevOps 部署到 Azure 云中。

据此 link AKS 需要创建一个服务主体。

所以我正在从 Azure Devops 创建一个 Azure Kubernetes 服务,通过资源组部署任务执行 ARM 模板,使用任务和服务连接中的现有服务主体凭据。

我尝试这个选项 troubleshoot and solve the problem,但我担心问题不是服务主体本身,而不是它,我想我需要参考 - servicePrincipalClientId $($secretServicePrincipalClientId)
-servicePrincipalClientSecret $($secretServicePrincipalClientSecret) 一种特殊的方式。

我该怎么做?

如果有人能指出正确的方向,我将不胜感激

我决定简化 ARM 模板的执行,删除我将值转换为安全字符串的安全任务。

所以,最后,我以正常方式定义了管道变量,其中 administratorLogin 作为非加密变量:

并且在我正在执行的 Azure 资源组部署 任务中:

  • 模板: 我select我的ARM模板

  • 部署模式:完成

    Complete mode deletes resources that are not in your template. [Warning] This action will delete all the existing resources in the resource group that are not specified in the template.

我选择这种模式,是为了让平台中创建的所有资源都来自 ARM 模板,以便从 ARM 模板获取资源日志或对基础结构所做的更改。尝试应用基础架构即代码方法

  • 覆盖参数 我决定包括我从 ARM 模板中获得的所有参数值,包括这种方式的 servicePrincipalClientIdservicePrincipalClientSecret 变量:
-administratorLogin "my-username" 
-administratorLoginPassword $(administratorLoginPassword)  
-environmentName "dev" 
-location "West Europe" 
-servicePrincipalClientId $(servicePrincipalClientId) 
-servicePrincipalClientSecret $(servicePrincipalClientSecret) 
         .
         .    
-serviceCidr "100.0.0.0/16" 
-dnsServiceIP "100.0.0.10" 
-dockerBridgeCidr "172.17.0.1/16" 
         .
         .

最终执行结果为:

2019-10-27T15:58:18.3523334Z ##[section]Starting: Azure Deployment:Create Or Update Resource Group action on sentia-assessment-testing
2019-10-27T15:58:18.3886841Z ==============================================================================
2019-10-27T15:58:18.3887055Z Task         : Azure resource group deployment
2019-10-27T15:58:18.3887210Z Description  : Deploy an Azure Resource Manager (ARM) template to a resource group and manage virtual machines
2019-10-27T15:58:18.3887334Z Version      : 2.157.4
2019-10-27T15:58:18.3887438Z Author       : Microsoft Corporation
2019-10-27T15:58:18.3887559Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment
2019-10-27T15:58:18.3887710Z ==============================================================================


### WE CAN SEE HERE THAT AZ RESOURCE GROUP TASK CREATE THE RESOURCE GROUP
### IF IT DOES NOT EXIST. 

2019-10-27T15:58:19.3677672Z Checking if the following resource group exists: resource-group.
2019-10-27T15:58:19.6898000Z Resource group exists: false.
2019-10-27T15:58:19.6900439Z Creating resource Group: resource-group
2019-10-27T15:58:20.1586233Z Resource Group created successfully.
2019-10-27T15:58:20.1589727Z Creating deployment parameters.

############### THIS IS THE ARM TEMPLATE EXECUTED ##################

2019-10-27T15:58:20.1681560Z The detected encoding for file 'd:\a\r1\a\Github\Deployments\ARMTemplates\Infrastructure\AzResourceGroupDeploymentApproach\testing.json' is 'utf-8'

############### THIS IS THE ARM TEMPLATE EXECUTED END ##################

2019-10-27T15:58:20.1864884Z Starting Deployment.
2019-10-27T15:58:20.1866605Z Deployment name is AzureDevOpsDeployment_91
2019-10-27T16:13:20.7707558Z Successfully deployed the template.
2019-10-27T16:13:20.7834983Z ##[section]Finishing: Azure Deployment:Create Or Update Resource Group action on resource-group

这是一种更好且更简单的方法吗,但也许理想的方案是将上述变量作为安全字符串处理,并在发布管道中的不同任务之间共享它们的值。