Search code examples

How to securely login in Az CLI from a DevOps Pipeline

I want to execute AZ cli commands from my Azure DevOps Pipeline. In my YAML file I have this:

- master

  vmImage: 'ubuntu-latest'

  buildConfiguration: 'Release'

- task: UsePythonVersion@0
    versionSpec: '3.x'
    architecture: 'x64'

# Updating pip to latest
- script: python -m pip install --upgrade pip
  displayName: 'Upgrade pip'

# Updating to latest Azure CLI version.
- script: pip install --pre azure-cli --extra-index-url
  displayName: 'upgrade azure cli'

- script: az --version
  displayName: 'Show Azure CLI version'

- script: az extension add -n azure-devops
  displayName: 'Install Azure DevOps Extension'

- script: echo ${AZURE_DEVOPS_CLI_PAT} | az devops login
    AZURE_DEVOPS_CLI_PAT: $(System.AccessToken)
  displayName: 'Login Azure DevOps Extension'

- script: az aks show --name census-k8s  --resource-group Census
  displayName: 'Show AKS'

The echo ${AZURE_DEVOPS_CLI_PAT} | az devops login step is completed (with success apparently) with a warning message

Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
Refer to know more on sign in with PAT.

The az aks show step fails:

Please run 'az login' to setup account.

I am a little bit lost. The az devops login command should enable me to use the az cli, right? If not, Am I supposed to use az login instead of az devops login? And if I am supposed to use az login, how can I pass my credentials in a secure way?


  • No, you don't need az devops login. What you need is Azure CLI Task:

    - task: AzureCLI@2
      displayName: Azure CLI
        azureSubscription: <Name of the Azure Resource Manager service connection>
        scriptType: ps
        scriptLocation: inlineScript
        inlineScript: |
          az --version
          az account show

    but then you don't have to do any login. Please call there your az aks show --name census-k8s --resource-group Census