Use azure keyvault secret as environment variable in Azure DevOps pipeline - azure-devops

As part of build I am using 'envsubst' command to replace all secrets from environment variables to my application configuration file. We are using Azure DevOps pipeline for our build process and now start using Azure KeyVault to store all these Secrets. Current Issue is that I am not able to make these secrets as environment variable in MS based agent runner. I tried to refer multiple documents but nothing helps.
Did anyone able to set the Azure KeyVault secrets as environment variable on the build agent runner. Any clue/guidance will be of help
Tried using setvariable task but it helps to read the secret and use it within job but not help insetting that variable as environment variable
task: Bash#3
inputs:
targetType: 'inline'
script: |
# Write your commands here
echo "##vso[task.setvariable variable=MySecret;issecret=true]$(MY-SECRET)"
Export and set command inside shell task is not allowing to setup environment variable
Also tried env setting, but that too didn't help
env:
MYSECRET: $(MY-SECRET)
Anyone who have implemented the same, do let me know

Related

How do I determined a User Environment Variable in YAML file for Microsoft Hosted Agent?

As per title above.
I am trying to mimic my automation setup on my local machine to match the automation i have running using Microsoft Hosted Agent machine.
This is how it set up in my local machine. therefore when the automation inserts "%repoic%" in a file explorer and the select folder button is pressed, it will open the desired folder
Now, I need to do the same using the Microsoft Hosted Agent to run my automation. Would anyone give me a clue on how this can be done? Is it simply do the following within my DevOps Pipeline's YAML file?
cheers!
From your requirement, you need to set the Environment variable and use it to navigate to path of the agent machine.
In Azure DevOps Pipeline, you can set the Pipeline variable as the screenshot show in the question.
Then you can use the format: $(variablename) to use the Pipeline variable.
Or you can use the format: %NAME% for batch and $env:NAME in PowerShell to use the Pipeline Environment Variable. Refer to this doc: Environment Variable
Here is an example:
pool:
vmImage: windows-latest
variables:
testpath: ./src/app/head
steps:
- powershell: Get-Location
workingDirectory: $(testpath)
Result:
OR you can use the environment variable in Pipeline.
Example:
pool:
vmImage: windows-latest
variables:
testpath: ./src/app/head
steps:
- task: CmdLine#2
inputs:
script: |
cd %testpath%

Use Azure pipeline secret variable to set environment variables on build agent

We have certain functional tests that rely on some secrets. Those secrets are obtained from a Azure Key Vault (AKV) and to connect from build agent, I am using environment variables and AzureIdentity.I set those env variables on the build agent machine using powershell. When I use non-secret pipeline variables, then everything works but when I switch to secret pipeline variable for AZURE_CLIENT_SECRET, the authentication starts to fail. I tried the approach of using a script to set the environment variable from secret pipeline variable, but it does not work. I also tried the approach mentioned here but that does not work either. ANy suggestion on how to set an environment variable using secret pipeline variables?
ANy suggestion on how to set an environment variable using secret pipeline variables?
If you set secret variable in below pipeline.
And then use the script's environment or map the variable within the variables block to pass secrets to your pipeline like below script. See: Set secret variables for details.
- task: PowerShell#2
inputs:
targetType: 'inline'
script: |
Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
env:
MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable
If you use Azure Key vault variable, we create a secret variable(PAT) in below Azure key vault.
So we can link secrets from an Azure key vault in variable group, as below.
Now we can use this variable group in below script. See: Reference secret variables in variable groups for details.
variables:
- group: 'AKVgroup' # variable group
pool:
vmImage: 'ubuntu-latest'
steps:
- task: PowerShell#2
inputs:
targetType: 'inline'
script: |
Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
env:
MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable
The other way is using Azure Key Vault task like below script. See: Use secrets from Azure Key Vault in Azure Pipelines for details.
- task: AzureKeyVault#1
inputs:
azureSubscription: 'ARM'
KeyVaultName: 'edwardkey'
SecretsFilter: '*'
RunAsPreJob: true
- task: PowerShell#2
inputs:
targetType: 'inline'
script: |
Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
env:
MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable
If you explicitly pass the secret to the script as a parameter then the scrip will have access to it.
If you want to then use that to set an environment variable for use in later scripts you'll can use a different environment variable name and have the script publish that you want it available in subsequent scripts. That sort of defeats the purpose of it being secret but if thats what you want.

How to pass variables from one pipeline to another pipeline in azure devops

I have two pipelines(Pipeline A and Pipeline B) configured for build and release and Pipeline A triggers Pipeline B for deployment.
I defined variables on pipeline A and need them on pipeline B to use for deployment . is it possible to pass them between two these pipelines ?.
any leads are much appreciated.
You can use for that variable group. Here you have doc about variable group.
Use a variable group to store values that you want to control and make available across multiple pipelines. You can also use variable groups to store secrets and other values that might need to be passed into a YAML pipeline. Variable groups are defined and managed in the Library page under Pipelines.
What you need is declare the same variable in both pipelines:
variables:
- group: my-variable-group
and for instance if you want to update variable in one pipeline and have this updated value available in second you can use Azure CLI
az pipelines variable-group variable update --group-id
--name
[--detect {false, true}]
[--new-name]
[--org]
[--project]
[--prompt-value {false, true}]
[--secret {false, true}]
[--value]
You should call this command from Azure CLI task
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az pipelines variable-group --group-id value-of-group-id --name some-name --org your-org --project your-project --value some-value
And if you wanto to Trigger one pipeline after another you can use pipeline resource:
resources:
pipelines:
- pipeline: securitylib # Name of the pipeline resource
source: security-lib-ci # Name of the pipeline referenced by the pipeline resource
trigger:
branches:
- releases/*
- master
Just like Krzysztof Madej pointed out, Variable groups will help to share static values across builds and releases pipeline.
What you need is a way to pass variables from one pipeline to another. I'm afraid to say there is no official way to do this for now.
As a workaround you could update the value of your variables inside your variable group. There are multiple ways to handle this, Rest API, powershell, 3rd-party extension. Detail ways please refer answers in this question: How to Increase/Update Variable Group value using Azure Devops Build Definition?
If you want to get the value of variable in the pipeline. Since you have used logging command to update that variable.
What you need to do only is using Rest API to get that particular build log to fetch related info.
How to pass variables from one pipeline to another pipeline in azure devops
You could set some default variables in the release pipeline, then add a inline powershell task to invoke the REST API (Definitions - Update) to update the value of the release definition variable in the build pipeline with values comes from build pipeline.
PUT https://vsrm.dev.azure.com/{organization}/{project}/_apis/release/definitions?api-version=5.0
Now, we could use the values from multiple pipelines in the release pipeline.
Please check my previous thread for some more details.
Noteļ¼šDo not forget to use REST API to restore those changed variables to the default value, so that we could use it next time.

How Can I make Secret variables (defined in azure release pipeline) be accessible to my Powershell marketplace task?

How Can I make Secret variable (SecretVar) defined in azure release pipeline be accessible to my Powershell used to create marketplace task (vsix)?
How Can I make Secret variable (SecretVar) defined in azure release pipeline be accessible to my Powershell used to create marketplace task (vsix)?
You could not access the secret variable directly from the task. This behavior is by designed for protecting secret variables from being exposed in the task.
This documentation states that secret variables are:
Not decrypted into environment variables. So scripts and programs run by your build steps are not given access by default.
Decrypted for access by your build steps. So you can use them in password arguments and also pass them explicitly into a script or a program from your build step (for example as $(password)).
That the reason why you could not use the secret variables in your task.
To resolve this issue, we need to explicitly map secret variables:
variables:
GLOBAL_MYSECRET: $(mySecret)
GLOBAL_MY_MAPPED_ENV_VAR: foo
steps:
- Youtask: |
env:
MY_MAPPED_ENV_VAR: $(mySecret) # right way to map to an env variable
Or if the secret variable can be set as arguments, we could use it:
variables:
VMS_USER: $(vmsUser)
VMS_PASS: $(vmsAdminPass)
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureFileCopy#4
inputs:
SourcePath: 'my/path'
azureSubscription: 'my-subscription'
Destination: 'AzureVMs'
storage: 'my-storage'
resourceGroup: 'my-rg'
vmsAdminUserName: $(VMS_USER)
vmsAdminPassword: $(VMS_PASS)
If your task does not support env: or arguments to pass secret variables explicitly into a script, you could not use it in the task.
You could check this thread for and the document for some more details.
Update:
My custom marketplace task uses Powershell (not yaml) and that is
where I would like to access it. How can I do that within powershell?
If you want to access the secret variables in the powershell script instead of the inline/powershell task, you could try to pass the value of secret variable through PowerShell parameters:
Param(
[String]$pass
)
if ($pass) { Write-Host "variable is NOT null" }
if (!$pass) { Write-Host "variable is null" }
Check this thread for some details.
Hope this helps.

How to use output variable of Deploy to Kubernetes task in Azure pipeline (VSTS)

I am new to VSTS and Azure Kubernetes. I am building a VSTS CD pipeline. I have added a Deploy to Kubernetes task in my pipeline. I am executing the get command and trying to store the output in the output variables (which is available at the bottom of the Deploy to kubernetes task). I have set the variable name.
I am trying to fetch the value of the above output variable. I have used command line task to set a value to the variable as mentioned below
echo '##vso[task.setvariable variable=myStatusVar;isSecret=false;]$(myvar)'
where myvar is the variable, which is set in the Deploy to kubernetes task as output variable.
After that in another command line task, I am trying to access the myStatusVar variable value, but when I execute the release pipeline, it shows the message:
myvar command not found
Can anyone let me know, how to use the output variable of the Deploy to kuberentes task of VSTS pipeline?
As stated in the comments your variable is 'exposed' as 'myvar.KubectlOutput'
the way you are able to use it in scripts differs based on type of scripting you are doing:
Batch script: %MYVAR_KUBECTLOUTPUT%
PowerShell script: $env:MYVAR_KUBECTLOUTPUT
Bash script: $MYVAR_KUBECTLOUTPUT
Azure Devops 'designer view': $(myvar.KubectlOutput)
For more details on this see the documentation on using variables in Azure DevOps: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch