我有一个 Azure Pipeline,需要调用一个控制台应用程序 (.exe),该应用程序连接到多个数据库以执行 EF 核心迁移。数据库只能通过 Azure AD/Entra 访问(即连接字符串中包含
Authentication=Active Directory Default;Azure AD 中存在 DevOps 项目的服务主体,并针对订阅配置了“贡献者”角色。我确信权限是正确的,因为我之前已经对数据库使用过
SqlAzureDacpacDeployment@1任务看起来像:
- script: |
cd $(Pipeline.Workspace)/ef-migrator-exe
echo "Connection string: ${{ parameters.masterConnectionString }}"
EfMigrator.exe -c "${{ parameters.masterConnectionString }}"
displayName: 'Execute EF Migrations'
但是,当从管道运行 .exe 时,我得到:
Microsoft.Data.SqlClient.SqlException (0x80131904): DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)
根据我的阅读,.exe 应该继承与管道本身相同的权限,但似乎没有发生这种情况?
我只需要使用 AzureCLI@2 任务运行脚本,指定服务连接:
- task: AzureCLI@2
inputs:
azureSubscription: '${{ parameters.serviceConnection }}'
scriptType: 'batch'
useGlobalConfig: true
scriptLocation: 'inlineScript'
inlineScript: |
cd $(Pipeline.Workspace)/ef-migrator-exe
EfMigrator.exe -c "${{ parameters.masterConnectionString }}"
我假设这为服务连接创建了一个令牌,然后在连接到数据库时拾取该令牌。