Published on

Why Your Azure Pipeline Might Be Failing After Az.Accounts 5.0.0

Authors
  • avatar
    Name
    Alexander Arana Escobedo
    Twitter

Introduction

Recently, we encountered an unexpected issue with an AzurePowerShell@5 task in one of our Azure DevOps pipelines. This task uses the Invoke-SqlCmd command, and although we hadn’t made any changes to the pipeline, it suddenly started failing with the following error message:

ado-output-secure-string

Troubleshooting

We started investigating the issue, and on the second day, we discovered that an update had occurred in the Get-AzAccessToken command. This command is used to fetch an Azure access token, which is then passed to the Invoke-SqlCmd command to authenticate and run a SQL script.

ado-output-secure-string

The root cause turned out to be a breaking change introduced in version 5.0.0 of the Az.Accounts module: the output of Get-AzAccessToken was changed from plain text to a SecureString. This unexpected change caused the pipeline to fail, as the token could no longer be consumed in the expected format.

Solution

The solution was to convert the SecureString to plain text. Of course, this isn’t ideal from a security perspective. Hopefully, Microsoft will update the Invoke-SqlCmd command to accept a SecureString for the -AccessToken parameter instead of requiring plain text. That would make the flow more secure and consistent with modern practices.

See the example below for how you can solve this:

$token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token
$unsecureToken = ConvertFrom-SecureString -SecureString $token -AsPlainText
Invoke-SqlCmd -ServerInstance "sql-test-we-01.database.windows.net" `
        -Database "spiderman" `
        -AccessToken "$unsecureToken" `
        -InputFile "script.sql" `
        -Verbose

I hope this post helps you troubleshoot your pipeline issues faster! If you have any questions, don’t hesitate to reach out! 🙏

Alexander Arana.E

Discuss on X