In my release pipeline, I'm running an Azure Cli task with a PowerShell script. In the script, I want to grant the current pipeline SP a list secret permission for one azure Key vault.
For doing this, I will need the ObjectId for the current pipeline SP. Turns out this is the hardest thing ever. The pipeline settings only allow return PrincipaleId, then I tried az ad sp show --id $env:servicePrincipalId --query objectId -o tsv. However, this always returns empty string, I guess since the pipeline is authed by a token, Azure does not allow it to get info about itself.
Wondering how can I get this magic ObjectId for the current pipeline other than just pass the value in from pipeline variable
It was an issue with "objectId" parameter value. I have tried to replicate the same in Azure Portal. Instead of using objectId use id parameter, it will work.
az ad sp show *********** --query id -o tsv
Replicated the same in portal.
Created a new Service principal
here are the service principal details:
Step2:
run the command with objectId parameter, output is empty. When we update with "id" it working as expected.
Related
I have azure key vault service in which we are maintaining secrets.
I have to deploy APIM service using ARM JOB in Azure devops release pipeline so I have added this job and added configured template.json and parameter.json and how to pass key vault as over ride parameter to ARM job in over ride parameters?. I tried with below option
I have added keyvault job/varaible group in azure pipelines then in over ride params i called $(keyvaultname/secretname) then saved it and ran the pipeline but i am geeting below issue
enter image description here
Please go to Pipelines -> Library -> create a variable group which contain the keyvalut.
Link the Variable group in your pipeline, make sure the variable of secret is listed.
In the ARM task, overwrite the parameters with "$(var)" name.
PFA .
I have created Variable group and then came back to release pipeline arm job then in the override parameter .
Arm job over ride parameter
Variable group
I have a service connection created for Azure Repos in a separate Azure DevOps org using a PAT.
I would like to be able to access that PAT from a PowerShell script in my pipeline yml since that same PAT has access to a nuget feed in the external org as well and I want to restore a package using that PAT.
Is there any way to do this? Or do I need to create a variable with that same PAT and store the token twice?
Is there any way to do this? Or do I need to create a variable with that same PAT and store the token twice?
We can't access value of specific PAT via reading the service connection which uses the PAT for authorization. As the only way we use service connection is to copy the connection name/ID into pipeline as a value.
What's more, PAT can only be obtained and saved directly when you create it. After that you can only get PAT from where you saved, and you cannot find it from anywhere in Azure DevOps.
If you want to use that PAT in pipeline, you can save it in a variable group as a secret variable.
Here is the detailed steps:
1.Go to Pipelines -> Library -> Create a variable group -> Add a variable and change its type to secret -> Save.
2.Add the variable group to variables in YAML.
variables:
- group: {variable group}
Then you can get the value of PAT by PowerShell scripts.
Currently the Deployment Group 'Register' script needs to be run interactively by providing information like tags, Token, account credentials etc.
It becomes a tedious task to run this interactive script on hundreds of machines to register them into Azure Pipeline Deployment Group.
Is there a way, where we can run in non-interactive mode by passing the required information as a parameter to script?
For e.g. .\scriptToAddToDeploymentGroup.ps1 <--tags appServer, domainController, etc> <--token 43875783457834545>
Can we automate this task from command line by passing parameter
values?
For this issue , the answer is yes.
You could add tags and token as parameters to the Registration script. For details ,please refer to this document.
If you chose --auth pat:
--token <token> - specifies your personal access token
--deploymentGroupTags <tags> - used with --addDeploymentGroupTags to specify the comma separated list of tags for the deployment group agent - for example "web, db"
For example:
\config.cmd --deploymentgroup --deploymentgroupname "xxx" --agent $env:COMPUTERNAME --runasservice --work '_work' --url 'https://dev.azure.com/xx/' --projectname 'xxx'
I'm trying to login to Azure Subscription using Service Principal from Azure DevOps build Pipeline PowerShell task.
The reason I need to log in is, I need to execute a few Log analytics queries from the same PowerShell task, hence it requires authentication to the subscription.
Service Principal ID and Key are in Key Vault as secrets. I need to read them as plain text to pass and authenticate with Azure Subscription.
The problem is, I'm not able to read them as plain text or plain string as it comes as an encrypted string value in the Azure DevOps PowerShell task. I can't seem to find ways in order to read them as plain text directly.
I can't use the below command
(Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretName).SecretValueText
because we need to be authenticated already to Azure Subscription to execute the other modules' commands.
Tried the below (i.e) Value for $Encrypted (Service Principal ID) is in KeyVault as plain text When I used the below it said, Input was not in a correct format
$AppId = (ConvertTo-SecureString $Encrypted) $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($AppId) $AppId = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Looking for any other ways to accomplish this task.
Found out an answer for this. I was using PowerShell task type as AzurePowerShell#2
But changed that to task: AzurePowerShell#4 which made things very easier as I already have Service Connection, i can authenticate to subscription using that and also can read and pass the Key Vault secrets successfully.
you need to mention azurePowerShellVersion: LatestVersion in build task, it worked simply.
Also this eliminated the requirement of using Service principal and now i can authenticate to subscription using Azure DevOps Service connection.
I want to use azure key vault secrets in azure devops release pipeline.could someone help me with powershell script in which I can define these variables and pass it in pipeline.
Powershell script that can be added to a release pipeline for fetching variables from key vault
You could configure a Variable Group to connect to an Azure Key Vault:
Go to "Pipelines" and then "Library" and "Add variable group".
Link secrets from an Azure key vault
Configure a Pipeline to make use of the new Variable Group
Then, whatever variables you have in your variable group can be accessed from your build pipe as $(VariableNameHere) including the key vault.
You could check the great document for some more details.
Hope this helps.