在Azure DevOps Powershell管道任务中获取自己的服务主体名称

Question

在具有system.debug = true的Azure DevOps版本管道中运行Azure Powershell任务时，您将获得类似于以下的输出：

# anonymized
...
2019-09-05T12:19:41.8983585Z ##[debug]INPUT_CONNECTEDSERVICENAMEARM: '7dd40b2a-1c37-4c0a-803e-9b0044a8b54e'
2019-09-05T12:19:41.9156487Z ##[debug]ENDPOINT_URL_7dd40b2a-1c37-4c0a-803e-9b0044a8b54e: 'https://management.azure.com/'
2019-09-05T12:19:41.9188051Z ##[debug]ENDPOINT_AUTH_7dd40b2a-1c37-4c0a-803e-9b0044a8b54e: '********'
2019-09-05T12:19:41.9221892Z ##[debug]ENDPOINT_DATA_7dd40b2a-1c37-4c0a-803e-9b0044a8b54e: '{"subscriptionId":"b855f753-d5b3-48f4-b7cd-5beb58fb5508","subscriptionName":"Entenhausen","environment":"AzureCloud","creationMode":"Automatic","azureSpnRoleAssignmentId":"5ddcc3fe-f93c-4771-8041-50b49f76b828","azureSpnPermissions":"[{\"roleAssignmentId\":\"5ddcc3fe-f93c-4771-8041-50b49f76b828\",\"resourceProvider\":\"Microsoft.RoleAssignment\",\"provisioned\":true}]","spnObjectId":"76055cb6-3b75-4191-9309-306b32dad443","appObjectId":"e4b90b9d-7a73-42a3-ae6e-4daec910def4","environmentUrl":"https://management.azure.com/","galleryUrl":"https://gallery.azure.com/","serviceManagementUrl":"https://management.core.windows.net/","resourceManagerUrl":"https://management.azure.com/","activeDirectoryAuthority":"https://login.microsoftonline.com/","environmentAuthorityUrl":"https://login.windows.net/","graphUrl":"https://graph.windows.net/","managementPortalUrl":"https://manage.windowsazure.com/","armManagementPortalUrl":"https://portal.azure.com/","activeDirectoryServiceEndpointResourceId":"https://management.core.windows.net/","sqlDatabaseDnsSuffix":".database.windows.net","AzureKeyVaultDnsSuffix":"vault.azure.net","AzureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","StorageEndpointSuffix":"core.windows.net","EnableAdfsAuthentication":"false"}'
2019-09-05T12:19:41.9284444Z ##[debug]AuthScheme ServicePrincipal
...

我需要将Azure DevOps连接的SPN添加到资源中。更改订阅或管道时，SPN也会更改，我不想对值进行硬编码。 当值打印在system.debug = true输出中时，我想知道如何在管道任务中访问自己的SPN。是否可以使用Powershell以某种方式读出spnObjectId":"76055cb6-3b75-4191-9309-306b32dad443"？

Answer 1

可以使用Get-AzureRmContext访问有关服务主体的信息，但是该信息是有限的，并且某些信息在日志中被混淆，因此您需要再次调用Get-AzureRmServicePrincipal来访问ObjectId

$Context = Get-AzureRmContext
$AzureDevOpsServicePrincipal = Get-AzureRmADServicePrincipal -ApplicationId $Context.Account.Id
$ObjectId = $AzureDevOpsServicePrincipal.Id

$ Context.Account.Id中公开的ID是服务主体ApplicationId

Answer 2

管道任务中的

SPN只是传递给该任务的Azure订阅。您可以单击“管理连接”，然后在连接下复制SPN的详细信息，并根据需要使用它们。但是，我不确定为什么要直接使用SPN，因为您始终可以使用Azure Powershell任务并仅选择订阅。一旦存储了Connection，就可以随时在不同的管道中重用它。