I have created an Azure AD security principle. And I've gone ahead and created a secure string out of the secret, so I don't have to save that in plain text somewhere.
Now in my deployment script that uses az cli, I want to log in to Azure using these credentials, but I keep getting prompted for a password. I'd like to avoid the prompt and just supply either the client secret or the encrypted secret as a parm.
Here's the code:
#Load Environment variables
$localenv = (Get-Content './environmentVars.json' | Out-String | ConvertFrom-Json)
$AzCred = Get-Credential -UserName $localenv .APP_ID
az login --service-principal -u $AzCred.UserName -p $localenv.APP_ID_CLIENT_SECRET --tenant $localenv.AZ_TENANT_ID
When I run the script, it does this:
PS C:\Users\me> .\deploy-resources.ps1
PowerShell credential request
Enter your credentials.
Password for user [GUID for Security Principle]:
Is there a way I can just pass this to the powershell script ?
As far as the encrypted version of the secret, this is how I created it:
$Secure = Read-Host -AsSecureString (supply the secret)
$Encrypted = ConvertFrom-SecureString -SecureString $Secure
And then I create a secure string out of the client secret:
$Secure2 = ConvertTo-SecureString -String $Encrypted
If there's a way to do so, I'd like to save the contents of $Secure2 in my json file and use that instead of the actual secret value.
Any tips would be appreciated.
We have tried with same PowerShell script that you are using and faced the same issue as password prompted.
we did changes in your script as below and can able to login without prompted to password.
$localenv = (Get-Content -Path "C:\Users\v-aghose\Desktop\environmentVars.json.txt" | Out-String | ConvertFrom-Json)
#$AzCred = Get-Credential -UserName $localenv.APP_ID
az login --service-principal -u $localenv.APP_ID -p $localenv.APP_ID_CLIENT_SECRET --tenant $localenv.AZ_TENANT_ID --allow-no-subscriptions
OUTPUT:-
If we are passing client secret as encrypted secure string that won't work for login . To make it login we have to decode the encrypted string. So there will be waste of encrypting the client secret.
For more information about decrypted the encrypted secure strings please refer this SO THREAD
.