0

I have created an Azure AD security principle. And I've gone ahead and created a secure string out of the secret, so I don't have to save that in plain text somewhere.

Now in my deployment script that uses az cli, I want to log in to Azure using these credentials, but I keep getting prompted for a password. I'd like to avoid the prompt and just supply either the client secret or the encrypted secret as a parm.

Here's the code:

#Load Environment variables
$localenv = (Get-Content './environmentVars.json' | Out-String | ConvertFrom-Json)
$AzCred = Get-Credential -UserName $localenv .APP_ID
az login --service-principal -u $AzCred.UserName -p $localenv.APP_ID_CLIENT_SECRET --tenant $localenv.AZ_TENANT_ID

When I run the script, it does this:

PS C:\Users\me> .\deploy-resources.ps1

PowerShell credential request
Enter your credentials.
Password for user [GUID for Security Principle]:

Is there a way I can just pass this to the powershell script ?

As far as the encrypted version of the secret, this is how I created it:

$Secure = Read-Host -AsSecureString (supply the secret)
$Encrypted = ConvertFrom-SecureString -SecureString $Secure

And then I create a secure string out of the client secret:

 $Secure2 = ConvertTo-SecureString -String $Encrypted

If there's a way to do so, I'd like to save the contents of $Secure2 in my json file and use that instead of the actual secret value.

Any tips would be appreciated.

dot
  • 14,928
  • 41
  • 110
  • 218

1 Answers1

0

We have tried with same PowerShell script that you are using and faced the same issue as password prompted.

enter image description here

we did changes in your script as below and can able to login without prompted to password.

$localenv = (Get-Content -Path "C:\Users\v-aghose\Desktop\environmentVars.json.txt" | Out-String | ConvertFrom-Json)
#$AzCred = Get-Credential -UserName $localenv.APP_ID

az login --service-principal -u $localenv.APP_ID -p $localenv.APP_ID_CLIENT_SECRET --tenant $localenv.AZ_TENANT_ID --allow-no-subscriptions

OUTPUT:-

enter image description here

If we are passing client secret as encrypted secure string that won't work for login . To make it login we have to decode the encrypted string. So there will be waste of encrypting the client secret.

For more information about decrypted the encrypted secure strings please refer this SO THREAD .

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15
  • 1
    yes i was able to get it working the same way as you decribe but forgot to post back. Thanks for the post and for the nice screenshots – dot Mar 15 '22 at 13:41