Al_
Enthusiast
Enthusiast

Simple .ps1 script runs successfully within powershell, fails when called from AzureDevOps Pipeline.

#vcconnect.ps1

Get-VICredentialStoreItem -File C:\Users\*******\AppData\Roaming\VMware\credstore\vicredentials.xml | %{
Connect-VIServer -Server $_.host -User $_.User -Password $_.Password
}

#Successful run within PS...
PS D:\ECE\vCenter\tested> .\vcconnect.ps1
Name                           Port  User
----                           ----  ----
xxx.xxx.xxx.xxx                443   *****\******
xxx.xxx.xxx.xxx                443   *****\******

#Fail from AzureDevOps...
2020-08-13T02:39:37.2754305Z     + CategoryInfo          : WriteError: (:) [Get-VICredentialStoreItem], ParentContainsErrorRecordException
2020-08-13T02:39:37.2754933Z     + FullyQualifiedErrorId : ParameterBindingFailed,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVICredentialStore 
2020-08-13T02:39:37.2755213Z    Item
2020-08-13T02:39:37.2755320Z  
2020-08-13T02:39:37.3521447Z ##[error]PowerShell exited with code '1'.

0 Kudos
10 Replies
LucD
Leadership
Leadership

Is that in PSv6 or higher?
The Get-VICredentialStoreItem cmdlet does not work with PSv6 or PSv7.

The PS Core environment doesn't have DPAPI


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Al_
Enthusiast
Enthusiast

It's 5.1, should I upgrade to 6 or higher?

PS D:\ECE\vCenter\tested> Get-Host | Select-Object Version

Version
-------
5.1.14393.2879

0 Kudos
Al_
Enthusiast
Enthusiast

Ohh, I see what you are saying; yes, running 5.1. The Get-VICredentialStoreItem cmdlet runs fine within PS.
0 Kudos
LucD
Leadership
Leadership

Could it be that DPAPI, which are the security API the CredentialSToreItem cmdlets use, is not available in Azure?
Or perhaps the Azure DPAPI is not compatible?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Al_
Enthusiast
Enthusiast

I'll attempt to confirm/troubleshoot with our DevOps team. If I understand correctly, the AZD release pipeline task should be calling the .PS1 script to run on the same VM that we can successfully run from within a PS session. Here are shots of the AZD config where we call the .PS1 on the VM via an installed AZD agent using a fully qualified file path to the .PS1 script in the local repo on the VM:

 

Is it possible that the AZD pipeline is not executing the task as a user with AuthZ to the VICredentialStore which is configured using my creds?

0 Kudos
Al_
Enthusiast
Enthusiast

looks like the sceenshots didn't make it. I'll upload them...
0 Kudos
Al_
Enthusiast
Enthusiast

second screenshot
0 Kudos
LucD
Leadership
Leadership

I don't have an Azure environment, so I'm afraid I can't really test.

Are you running the script with the same account as the one used to create the VICredentialItem?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LucD
Leadership
Leadership

Also, since it seems to be a terminating exception, you could run that line in a try-catch construct.

And then in the catch code block run

$error[0]

$error[0].Exception

$error[0].exception.innerexception

That might give some more clues about what is happening.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Al_
Enthusiast
Enthusiast

You nailed it as usual (we discovered it at the same time). The AzureDevOps agent needed to AuthN as the same user that created the VICredentialStore entries. The vCenter Connect/VICredentialStore.PS1 now runs as expected when called from AZD. Thanks!
0 Kudos