How can I run a Python script in Azure DevOps with Azure Resource Manager credentials?
up vote
0
down vote
favorite
I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).
How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?
python azure-devops azure-resource-manager
add a comment |
up vote
0
down vote
favorite
I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).
How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?
python azure-devops azure-resource-manager
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).
How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?
python azure-devops azure-resource-manager
I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).
How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?
python azure-devops azure-resource-manager
python azure-devops azure-resource-manager
asked Nov 11 at 18:06
Kai Walter
687619
687619
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
accepted
Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/
.
A good hint. Thanks. I'm trying with anAzure CLI
task, an Windows batch inline scriptpython "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
– Kai Walter
Nov 11 at 19:14
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
Strange - I get arequests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.
– Kai Walter
Nov 11 at 19:39
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
|
show 4 more comments
up vote
0
down vote
based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL
from the Service Princial logged in inside an Azure DevOps - Azure CLI task
import os
import json
import adal
_SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
_SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
_TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
_ACCESS_TOKEN = 'accessToken'
def get_config_dir():
return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))
def getOAuthTokenFromCLI():
token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
or os.path.join(get_config_dir(), 'accessTokens.json'))
with open(token_file) as f:
tokenEntry = json.load(f)[0] # just assume first entry
tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
appPassword = tokenEntry[_ACCESS_TOKEN]
authURL = "https://login.windows.net/" + tenantID
resource = "https://management.azure.com/"
context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/
.
A good hint. Thanks. I'm trying with anAzure CLI
task, an Windows batch inline scriptpython "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
– Kai Walter
Nov 11 at 19:14
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
Strange - I get arequests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.
– Kai Walter
Nov 11 at 19:39
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
|
show 4 more comments
up vote
0
down vote
accepted
Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/
.
A good hint. Thanks. I'm trying with anAzure CLI
task, an Windows batch inline scriptpython "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
– Kai Walter
Nov 11 at 19:14
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
Strange - I get arequests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.
– Kai Walter
Nov 11 at 19:39
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
|
show 4 more comments
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/
.
Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/
.
answered Nov 11 at 18:20
4c74356b41
23.3k32050
23.3k32050
A good hint. Thanks. I'm trying with anAzure CLI
task, an Windows batch inline scriptpython "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
– Kai Walter
Nov 11 at 19:14
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
Strange - I get arequests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.
– Kai Walter
Nov 11 at 19:39
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
|
show 4 more comments
A good hint. Thanks. I'm trying with anAzure CLI
task, an Windows batch inline scriptpython "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
– Kai Walter
Nov 11 at 19:14
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
Strange - I get arequests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.
– Kai Walter
Nov 11 at 19:39
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
A good hint. Thanks. I'm trying with an
Azure CLI
task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.– Kai Walter
Nov 11 at 19:14
A good hint. Thanks. I'm trying with an
Azure CLI
task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json"
and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.– Kai Walter
Nov 11 at 19:14
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
that is an unrelated problem :)
– 4c74356b41
Nov 11 at 19:25
Strange - I get a
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.– Kai Walter
Nov 11 at 19:39
Strange - I get a
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/...
with the token stored by CLI. Have to check the scope.– Kai Walter
Nov 11 at 19:39
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
you should raise a new question for that and consider accepting this one as an answer ;)
– 4c74356b41
Nov 11 at 19:43
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
– Kai Walter
Nov 11 at 19:59
|
show 4 more comments
up vote
0
down vote
based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL
from the Service Princial logged in inside an Azure DevOps - Azure CLI task
import os
import json
import adal
_SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
_SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
_TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
_ACCESS_TOKEN = 'accessToken'
def get_config_dir():
return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))
def getOAuthTokenFromCLI():
token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
or os.path.join(get_config_dir(), 'accessTokens.json'))
with open(token_file) as f:
tokenEntry = json.load(f)[0] # just assume first entry
tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
appPassword = tokenEntry[_ACCESS_TOKEN]
authURL = "https://login.windows.net/" + tenantID
resource = "https://management.azure.com/"
context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]
add a comment |
up vote
0
down vote
based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL
from the Service Princial logged in inside an Azure DevOps - Azure CLI task
import os
import json
import adal
_SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
_SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
_TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
_ACCESS_TOKEN = 'accessToken'
def get_config_dir():
return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))
def getOAuthTokenFromCLI():
token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
or os.path.join(get_config_dir(), 'accessTokens.json'))
with open(token_file) as f:
tokenEntry = json.load(f)[0] # just assume first entry
tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
appPassword = tokenEntry[_ACCESS_TOKEN]
authURL = "https://login.windows.net/" + tenantID
resource = "https://management.azure.com/"
context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]
add a comment |
up vote
0
down vote
up vote
0
down vote
based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL
from the Service Princial logged in inside an Azure DevOps - Azure CLI task
import os
import json
import adal
_SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
_SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
_TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
_ACCESS_TOKEN = 'accessToken'
def get_config_dir():
return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))
def getOAuthTokenFromCLI():
token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
or os.path.join(get_config_dir(), 'accessTokens.json'))
with open(token_file) as f:
tokenEntry = json.load(f)[0] # just assume first entry
tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
appPassword = tokenEntry[_ACCESS_TOKEN]
authURL = "https://login.windows.net/" + tenantID
resource = "https://management.azure.com/"
context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]
based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL
from the Service Princial logged in inside an Azure DevOps - Azure CLI task
import os
import json
import adal
_SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
_SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
_TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
_ACCESS_TOKEN = 'accessToken'
def get_config_dir():
return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))
def getOAuthTokenFromCLI():
token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
or os.path.join(get_config_dir(), 'accessTokens.json'))
with open(token_file) as f:
tokenEntry = json.load(f)[0] # just assume first entry
tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
appPassword = tokenEntry[_ACCESS_TOKEN]
authURL = "https://login.windows.net/" + tenantID
resource = "https://management.azure.com/"
context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]
answered Nov 13 at 19:48
Kai Walter
687619
687619
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251660%2fhow-can-i-run-a-python-script-in-azure-devops-with-azure-resource-manager-creden%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown