0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@kouhei-ioroi(五百藏 康平)

Azure DevOps PipelinesでAzureCLIからサービスコネクションのクレデンシャルを抽出して再利用する備忘録

0
Last updated at Posted at 2026-05-19

DotNetCoreCLI@2とかTerraformとかAnsibleとかに役立つ(かも)。
parameters.osは仮置き変数なので実際の環境に併せて修正してくださいね。

Service Principalなら

- ${{ if eq(parameters.os, 'linux') }}:
  - task: AzureCLI@2
    displayName: 'Azure CLI クレデンシャルを抽出'
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      scriptLocation: inlineScript
      addSpnToEnvironment: true
      scriptType: bash
      inlineScript: |
        echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
        echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$servicePrincipalKey"
        echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"

- ${{ elseif eq(parameters.os, 'win') }}:
  - task: AzureCLI@2
    displayName: 'Azure CLI クレデンシャルを抽出'
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      scriptLocation: inlineScript
      addSpnToEnvironment: true
      scriptType: ps
      inlineScript: |
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$env:servicePrincipalKey"
        Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"

- script: |
    az login --service-principal -u $(ARM_CLIENT_ID) -p $(ARM_CLIENT_SECRET) --tenant $(ARM_TENANT_ID)
    az account show
  displayName: 'Azure CLI でログイン'

Workload Identity Federationなら

steps:
  - ${{ if eq(parameters.os, 'linux') }}:
    - task: AzureCLI@2
      displayName: 'Azure CLI クレデンシャルを抽出'
      inputs:
        azureSubscription: ${{ parameters.azureSubscription }}
        scriptLocation: inlineScript
        addSpnToEnvironment: true
        scriptType: bash
        inlineScript: |
          echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
          echo "##vso[task.setvariable variable=ARM_CLIENT_FEDERATED_TOKEN]$idToken"
          echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
  
  - ${{ elseif eq(parameters.os, 'win') }}:
    - task: AzureCLI@2
      displayName: 'Azure CLI クレデンシャルを抽出'
      inputs:
        azureSubscription: ${{ parameters.azureSubscription }}
        scriptLocation: inlineScript
        addSpnToEnvironment: true
        scriptType: ps
        inlineScript: |
          Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
          Write-Host "##vso[task.setvariable variable=ARM_CLIENT_FEDERATED_TOKEN]$env:idToken"
          Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"

  - script: |
      az login --service-principal --username $(ARM_CLIENT_ID) --federated-token $(ARM_CLIENT_FEDERATED_TOKEN) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions
      az account show
    displayName: 'Azure CLI でログイン'
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?