Problem:

You are running Azure PowerShell Inline Script task in Release pipeline on Self-Hosted (Private) Ubuntu (linux) based build agent and observed the below error-

2019-06-24T20:28:30.6103842Z ##[command]Import-Module -Name /home/***/.local/share/powershell/Modules/Az.Accounts/1.5.3/Az.Accounts.psd1 -Global
2019-06-24T20:28:31.6712150Z ##[command]Clear-AzContext -Scope Process
2019-06-24T20:28:33.0938376Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2019-06-24T20:28:33.8110150Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud
2019-06-24T20:28:35.1066077Z There was an error with the service principal used for the deployment.
2019-06-24T20:28:35.1067491Z At /home/***/_work/_tasks/AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62/4.0.12/InitializeAz.ps1:94 char:9
2019-06-24T20:28:35.1068127Z + throw (New-Object System.Exception("There was an error with t ...
2019-06-24T20:28:35.1068485Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2019-06-24T20:28:35.1068753Z + CategoryInfo : OperationStopped: (:) [], Exception
2019-06-24T20:28:35.1068997Z + FullyQualifiedErrorId : There was an error with the service principal used for the deployment.

 

Also when you schedule this release using Microsoft Hosted Build Agent, it works fine. So the problem is with the private build agent and Az module.

 

Steps to debug:

>>Login to build agent and run the below script in PowerShell to validate the subscription and to confirm that Connect-AzAccount works-

$servicePrincipalId = "<ServicePrincipalID>"
$servicePrincipalKey = "<servicePrincipalKey>"
$tenantId = "<tenantId>"
$azureSubscriptionId = "<azureSubscriptionId>" 

$securePassword = ConvertTo-SecureString $servicePrincipalKey -AsPlainText -Force
$psCredential = New-Object System.Management.Automation.PSCredential ($servicePrincipalId, $securePassword)

Write-Verbose "Connect-AzAccount Started" -Verbose
$azureAccount = Connect-AzAccount -ServicePrincipal -Tenant $tenantId -Credential $psCredential -Environment AzureCloud
$azureAccount
Write-Verbose "Connect-AzAccount Completed" -Verbose

If this shows output with Account, SubscriptionName, TenantId and Environment then it validates the subscription and confirms that the issue is with Azure PowerShell task.

>> Now in Release pipeline, disable the Azure  PowerShell task and add another PowerShell task and provide the same above script inline to execute-

>>When you run the release, it will show the proper error in logs as why it is failing-

2019-06-24T21:16:07.0066561Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command . '/home/***/_work/_temp/48220b15-6781-43b6-b139-3b4ecdf9cd37.ps1'
2019-06-24T21:16:07.3662638Z WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /home/***/.Azure ). Please ensure that this directory has appropriate protections.
2019-06-24T21:16:08.5758547Z Connect-AzAccount : Access to the path '/home/***/.Azure/AzureRmContext.json' is denied.
2019-06-24T21:16:08.5760826Z At /home/***/_work/_temp/48220b15-6781-43b6-b139-3b4ecdf9cd37.ps1:10 char:1
2019-06-24T21:16:08.5761749Z + Connect-AzAccount -ServicePrincipal -Tenant $azureTenantId -Credentia ...
2019-06-24T21:16:08.5762470Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2019-06-24T21:16:08.5765842Z + CategoryInfo          : CloseError: (:) [Connect-AzAccount], UnauthorizedAccessException
2019-06-24T21:16:08.5767615Z + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
2019-06-24T21:16:08.5768017Z  

>> If you observe the above error then check in build agent whether .Azure folder is available in /home/<build agent home path>. If it exists, then check whether it is owned by ROOT user.

If yes, then delete this folder and run the Release pipeline again.

 

Cause:

When Az module is installed using sudo  (Install-Module Az -Force -AllowClobber) command, the .Azure folder is created under ROOT user. So the serviceprincipal used by the release pipeline is denied access to the files in this folder.

Fix:

Delete the .Azure folder and run the release pipeline again. It will recreate the .Azure folder under correct user and files will be accessible.