How can I use azcopy CLI in Azure Devops Pipelines running on Linux using managed identity to authenticate to azure file share without a SAS token?
Right now we have this azure pipeline AzureCLI task where we use the preinstalled azcopy cli in to copy files from the pipeline workspace/git into our azure file share. We were previously using a SAS token in the URL, however, those tokens eventually expire and its another secret to manage. We know there is a way to upload files to azure file share without a SAS token, and the documentation says it should work with a simple cli task like this
- task: AzureCLI@2
inputs:
azureSubscription: your-azure-service-connection-name
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
export AZCOPY_AUTO_LOGIN_TYPE=AZCLI
azcopy sync directory/MyFilesToCopy https://mystorageaccount.file.core.windows.net --recursive --put-md5
addSpnToEnvironment: true
failOnStandardError: true
The error we got was:
Failed to perform Auto-login: AzureCLICredential: WARNING: Could not retrieve credential from local cache for service principal *** under tenant common. Trying credential under tenant xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, assuming that is an app credential.
ERROR: AADSTS700016: Application with identifier '***' was not found in the directory 'Microsoft'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: b0c23ef4-f557-4151-8a1a-375d236b4700 Correlation ID: 2066f167-dae6-4dd1-9031-7b0a1136ac4b Timestamp: 2024-04-08 14:34:32Z
Interactive authentication is needed. Please run:
az login
This one was telling because directly above this, i can see the successful azure cli login info
/usr/bin/az login --service-principal -u *** --tenant xxxxx-xxxx-xxxx-xxxx-xxxxxxxx --allow-no-subscriptions --federated-token ***
[
{
"cloudName": "AzureCloud",
.....
Our Solution: You need to add the azure tenantId as an environment variable that way azcopy autologin knows which tenant to use, despite our error message saying it was attempted to connect using our tenant, specifying it forced it to not use the Microsoft "common" tenant.
Additionally, you need to make sure that your service connection has Contributor rights over your resource group (figure 1) and that the Service Principal has Storage File Data Privileged Contributor rights over your storage account.
This is stated in the documentation here: https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory. There was no mention of the tenantId needing to be included in the auto login section.
- task: AzureCLI@2
inputs:
azureSubscription: your-azure-service-connection-name
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
export AZCOPY_AUTO_LOGIN_TYPE=AZCLI
export AZCOPY_TENANT_ID=$tenantId
azcopy sync directory/MyFilesToCopy https://mystorageaccount.file.core.windows.net --recursive --put-md5
addSpnToEnvironment: true
failOnStandardError: true
- Azure pipeline doesn't wait for function app to complete
- How to set the registry URL in a project-level .npmrc file from an environment variable in an Azure Pipeline
- Release Pipeline throws the following error: Unable to apply transformation for the given package - Changes are already present in the package
- How to run trivy image scan inside Azure DevOps
- How to disable self-hosted agent in AzureDevOps pool via command-line
- How to create Azure function App in Python without using Visual Code Studio
- Splitt git push to Azure DevOps
- Azure pipeline - Failed on Error NU1301 after upgrade Azure Function
- Passing Variable Between Stages in Azure DevOps Pipeline
- How to I checkout with recursive submodules in Azure DevOps in the same project but different repo
- Azure Self Hosted pipeline agent no longer starts when I boot my PC
- ARM deployment job in YAML
- How do I inject variables into a SQL script, in the Azure DevOps pipeline?
- Trigger on pipeline and with path filter
- How to install yarn@2 in azure devops pipeline agent
- Where to install software on azure pipeline agent?
- How do you properly deploy from Azure Artifact Feed
- In Azure Devops Yaml pipeline, how to programatically add a step to a deployment
- Azure Artifacts gives 401 error on publishing a nuget package
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- Use multiple tags when creating Docker image using Spring Boot Maven Plugin
- dynamically using a Service Connection in an Azure DevOps pipeline based on the calling repository
- Creating Team Data Science Process in ADO
- Azure Devops pipeline schedule releases old releases
- Receiving the WhiteSource Task warning in the azure devops build pipeline
- Require explicit resource input in Azure pipeline
- Change Azure DevOps Parent Work Item status when all linked children work items meet certain condition?
- Moving npm packages from Azure Devops to Github
- Pull requests using the Azure DevOps plugin in JetBrains Rider
- Trouble Deploying FastAPI Project on Azure Functions or testing locally