How can I run a Python script in Azure DevOps with Azure Resource Manager credentials?











up vote
0
down vote

favorite












I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).



How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?










share|improve this question


























    up vote
    0
    down vote

    favorite












    I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).



    How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).



      How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?










      share|improve this question













      I have a Python script I want to run in Azure Resource Manager context within an Azure DevOps pipeline task to be able to access Azure resources (like the Azure CLI or Azure PowerShell tasks).



      How can I get Azure RM Service Endpoint credentials stored in Azure DevOps passed - as ServicePrincipal/Secret or OAuth Token - into the script?







      python azure-devops azure-resource-manager






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 11 at 18:06









      Kai Walter

      687619




      687619
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/.






          share|improve this answer





















          • A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
            – Kai Walter
            Nov 11 at 19:14












          • that is an unrelated problem :)
            – 4c74356b41
            Nov 11 at 19:25










          • Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
            – Kai Walter
            Nov 11 at 19:39










          • you should raise a new question for that and consider accepting this one as an answer ;)
            – 4c74356b41
            Nov 11 at 19:43










          • not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
            – Kai Walter
            Nov 11 at 19:59


















          up vote
          0
          down vote













          based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL from the Service Princial logged in inside an Azure DevOps - Azure CLI task



          import os
          import json
          import adal

          _SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
          _SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
          _TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
          _ACCESS_TOKEN = 'accessToken'

          def get_config_dir():
          return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))

          def getOAuthTokenFromCLI():
          token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
          or os.path.join(get_config_dir(), 'accessTokens.json'))

          with open(token_file) as f:
          tokenEntry = json.load(f)[0] # just assume first entry

          tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
          appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
          appPassword = tokenEntry[_ACCESS_TOKEN]
          authURL = "https://login.windows.net/" + tenantID
          resource = "https://management.azure.com/"
          context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
          token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
          return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]





          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251660%2fhow-can-i-run-a-python-script-in-azure-devops-with-azure-resource-manager-creden%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote



            accepted










            Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/.






            share|improve this answer





















            • A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
              – Kai Walter
              Nov 11 at 19:14












            • that is an unrelated problem :)
              – 4c74356b41
              Nov 11 at 19:25










            • Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
              – Kai Walter
              Nov 11 at 19:39










            • you should raise a new question for that and consider accepting this one as an answer ;)
              – 4c74356b41
              Nov 11 at 19:43










            • not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
              – Kai Walter
              Nov 11 at 19:59















            up vote
            0
            down vote



            accepted










            Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/.






            share|improve this answer





















            • A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
              – Kai Walter
              Nov 11 at 19:14












            • that is an unrelated problem :)
              – 4c74356b41
              Nov 11 at 19:25










            • Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
              – Kai Walter
              Nov 11 at 19:39










            • you should raise a new question for that and consider accepting this one as an answer ;)
              – 4c74356b41
              Nov 11 at 19:43










            • not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
              – Kai Walter
              Nov 11 at 19:59













            up vote
            0
            down vote



            accepted







            up vote
            0
            down vote



            accepted






            Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/.






            share|improve this answer












            Depends on what you call a python script, but either way Azure DevOps hasn't got native support to authenticate python sdk (or your custom python script), but you can pass in credentials from buildrelease variables to your script, or try and pull that from the Azure Cli (I think it stores data somewhere under /home/.azure/.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 11 at 18:20









            4c74356b41

            23.3k32050




            23.3k32050












            • A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
              – Kai Walter
              Nov 11 at 19:14












            • that is an unrelated problem :)
              – 4c74356b41
              Nov 11 at 19:25










            • Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
              – Kai Walter
              Nov 11 at 19:39










            • you should raise a new question for that and consider accepting this one as an answer ;)
              – 4c74356b41
              Nov 11 at 19:43










            • not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
              – Kai Walter
              Nov 11 at 19:59


















            • A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
              – Kai Walter
              Nov 11 at 19:14












            • that is an unrelated problem :)
              – 4c74356b41
              Nov 11 at 19:25










            • Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
              – Kai Walter
              Nov 11 at 19:39










            • you should raise a new question for that and consider accepting this one as an answer ;)
              – 4c74356b41
              Nov 11 at 19:43










            • not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
              – Kai Walter
              Nov 11 at 19:59
















            A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
            – Kai Walter
            Nov 11 at 19:14






            A good hint. Thanks. I'm trying with an Azure CLI task, an Windows batch inline script python "$(Build.SourcesDirectory)anyscript.py" "%USERPROFILE%.azureaccessTokens.json" and parse the file in the PY script. Still struggling because the authorization for the management endpoint does not work - but that could be an unrelated problem.
            – Kai Walter
            Nov 11 at 19:14














            that is an unrelated problem :)
            – 4c74356b41
            Nov 11 at 19:25




            that is an unrelated problem :)
            – 4c74356b41
            Nov 11 at 19:25












            Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
            – Kai Walter
            Nov 11 at 19:39




            Strange - I get a requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://management.azure.com/subscriptions/... with the token stored by CLI. Have to check the scope.
            – Kai Walter
            Nov 11 at 19:39












            you should raise a new question for that and consider accepting this one as an answer ;)
            – 4c74356b41
            Nov 11 at 19:43




            you should raise a new question for that and consider accepting this one as an answer ;)
            – 4c74356b41
            Nov 11 at 19:43












            not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
            – Kai Walter
            Nov 11 at 19:59




            not yet ;-) accessTokens.json contains a 56 digit accessToken and not a OAuth / Bearer token I need
            – Kai Walter
            Nov 11 at 19:59












            up vote
            0
            down vote













            based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL from the Service Princial logged in inside an Azure DevOps - Azure CLI task



            import os
            import json
            import adal

            _SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
            _SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
            _TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
            _ACCESS_TOKEN = 'accessToken'

            def get_config_dir():
            return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))

            def getOAuthTokenFromCLI():
            token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
            or os.path.join(get_config_dir(), 'accessTokens.json'))

            with open(token_file) as f:
            tokenEntry = json.load(f)[0] # just assume first entry

            tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
            appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
            appPassword = tokenEntry[_ACCESS_TOKEN]
            authURL = "https://login.windows.net/" + tenantID
            resource = "https://management.azure.com/"
            context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
            token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
            return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]





            share|improve this answer

























              up vote
              0
              down vote













              based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL from the Service Princial logged in inside an Azure DevOps - Azure CLI task



              import os
              import json
              import adal

              _SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
              _SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
              _TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
              _ACCESS_TOKEN = 'accessToken'

              def get_config_dir():
              return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))

              def getOAuthTokenFromCLI():
              token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
              or os.path.join(get_config_dir(), 'accessTokens.json'))

              with open(token_file) as f:
              tokenEntry = json.load(f)[0] # just assume first entry

              tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
              appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
              appPassword = tokenEntry[_ACCESS_TOKEN]
              authURL = "https://login.windows.net/" + tenantID
              resource = "https://management.azure.com/"
              context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
              token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
              return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]





              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL from the Service Princial logged in inside an Azure DevOps - Azure CLI task



                import os
                import json
                import adal

                _SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
                _SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
                _TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
                _ACCESS_TOKEN = 'accessToken'

                def get_config_dir():
                return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))

                def getOAuthTokenFromCLI():
                token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
                or os.path.join(get_config_dir(), 'accessTokens.json'))

                with open(token_file) as f:
                tokenEntry = json.load(f)[0] # just assume first entry

                tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
                appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
                appPassword = tokenEntry[_ACCESS_TOKEN]
                authURL = "https://login.windows.net/" + tenantID
                resource = "https://management.azure.com/"
                context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
                token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
                return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]





                share|improve this answer












                based on the hint given by 4c74356b41 above and with some dissecting of Azure CLI I created this function that allows pulling an OAuth token over ADAL from the Service Princial logged in inside an Azure DevOps - Azure CLI task



                import os
                import json
                import adal

                _SERVICE_PRINCIPAL_ID = 'servicePrincipalId'
                _SERVICE_PRINCIPAL_TENANT = 'servicePrincipalTenant'
                _TOKEN_ENTRY_TOKEN_TYPE = 'tokenType'
                _ACCESS_TOKEN = 'accessToken'

                def get_config_dir():
                return os.getenv('AZURE_CONFIG_DIR', None) or os.path.expanduser(os.path.join('~', '.azure'))

                def getOAuthTokenFromCLI():
                token_file = (os.environ.get('AZURE_ACCESS_TOKEN_FILE', None)
                or os.path.join(get_config_dir(), 'accessTokens.json'))

                with open(token_file) as f:
                tokenEntry = json.load(f)[0] # just assume first entry

                tenantID = tokenEntry[_SERVICE_PRINCIPAL_TENANT]
                appId = tokenEntry[_SERVICE_PRINCIPAL_ID]
                appPassword = tokenEntry[_ACCESS_TOKEN]
                authURL = "https://login.windows.net/" + tenantID
                resource = "https://management.azure.com/"
                context = adal.AuthenticationContext(authURL, validate_authority=tenantID, api_version=None)
                token = context.acquire_token_with_client_credentials(resource,appId,appPassword)
                return token[_TOKEN_ENTRY_TOKEN_TYPE] + " " + token[_ACCESS_TOKEN]






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 13 at 19:48









                Kai Walter

                687619




                687619






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251660%2fhow-can-i-run-a-python-script-in-azure-devops-with-azure-resource-manager-creden%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Bressuire

                    Vorschmack

                    Quarantine