Is there a way to pass the Azure DevOps pipeline secrets without passing them as task env variables
As per the documentation, we can only pass the secrets like below
- powershell: |
Write-Host "recommended: $env:MY_MAPPED_ENV_VAR"
env:
MY_MAPPED_ENV_VAR: $(mySecret) # the recommended way to map to an env variable
This works okay when you have 1 or 2 variables, but managing 20 or more than that becomes so tedious.
Any comments or suggestions would be greatly appreciated
Update:
Is there a way to pass the Azure DevOps pipeline secrets without passing them as task env variables
I'm afraid there is no method to use secret variables directly without mapping them to the task environment.
From the document you mentioned:
Don't set secret variables in your YAML file. Operating systems often
log commands for the processes that they run, and you wouldn't want
the log to include a secret that you passed in as an input. Use the
script's environment or map the variable within the variables block to
pass secrets to your pipeline.
We don't recommend passing the secret variables directly into pipeline. So we could use the env variable to map the secret variable.
Generally, we only place a small number of secret variables in a single task.
Therefore, it is valuable to use environment variables to map secret variables.
Related
I have a requirement to pass data between 2 release pipelines (to trigger 2nd pipeline on completion of 1st pipeline).
Can we pass variables dynamically between azure RELEASE pipelines using trigger an Azure DevOps pipeline extension?
I tried this blog but unable to find/understand if we can use "output variables" to pass data between azure release pipelines.
https://msftplayground.com/2019/02/trigger-a-pipeline-from-an-azure-devops-pipeline/
Thank you in advance!
Output variables are created by the pipeline and referenced by the other tasks in the pipeline, it means they are dynamic and refers to the result of a particular task.
These cannot be defined statically.
After running the task in the pipeline, output variables value can be known.
There are two different ways to create output variables :
By building support for the variable in the task itself
Setting the value ad-hoc in a script
Below example is defining a task with the name SomeTask that natively creates an output variable called out.
In a task within that same job, you can reference that variable using $(SomeTask.out).
steps:
- task: MyTask#1
name: SomeTask
- script: echo $(SomeTask.out)
For the detailed information regarding how to create output variables and pass between the pipelines, please refer azure devops output variables.
I'm trying to get Azure DevOps pipelines to prompt for a version number when manually launching a pipeline (defined using the new YAML syntax).
Even when I define variables in the template, the launch screen says "This pipeline has no defined variables". How can I define variables so that they show up in the pipeline launch?
Current YAML definition contains:
variables:
- name: versionName
value: ''
These are not shown when launching the pipeline:
While Shayki's answer is correct for defining variables, what I was really looking for is runtime parameters.
With the following YAML definition:
parameters:
- name: myParameter
displayName: Description of myParameter
default: defaultMyParameter
type: string
it prompts for the parameter value when launching the pipeline:
The parameter must be referenced in the template using ${{ parameters.myParameter }}, the other variable syntaxes don't work.
From the docs:
If a variable appears in the variables block of a YAML file, its
value is fixed and can't be overridden at queue time. Best practice is
to define your variables in a YAML file but there are times when this
doesn't make sense. For example, you may want to define a secret
variable and not have the variable exposed in your YAML. Or, you may
need to manually set a variable value during the pipeline run.
You have two options for defining queue-time values. You can define a
variable in the UI and select the option to Let users override this
value when running this pipeline or you can use runtime parameters
instead. If your variable is not a secret, the best practice is to use
runtime parameters.
To set a variable at queue time, add a new variable within your
pipeline and select the override option.
To allow a variable to be set at queue time, make sure the variable
doesn't also appear in the variables block of a pipeline or job. If
you define a variable in both the variables block of a YAML and in the
UI, the value in the YAML will have priority.
How Can I make Secret variable (SecretVar) defined in azure release pipeline be accessible to my Powershell used to create marketplace task (vsix)?
How Can I make Secret variable (SecretVar) defined in azure release pipeline be accessible to my Powershell used to create marketplace task (vsix)?
You could not access the secret variable directly from the task. This behavior is by designed for protecting secret variables from being exposed in the task.
This documentation states that secret variables are:
Not decrypted into environment variables. So scripts and programs run by your build steps are not given access by default.
Decrypted for access by your build steps. So you can use them in password arguments and also pass them explicitly into a script or a program from your build step (for example as $(password)).
That the reason why you could not use the secret variables in your task.
To resolve this issue, we need to explicitly map secret variables:
variables:
GLOBAL_MYSECRET: $(mySecret)
GLOBAL_MY_MAPPED_ENV_VAR: foo
steps:
- Youtask: |
env:
MY_MAPPED_ENV_VAR: $(mySecret) # right way to map to an env variable
Or if the secret variable can be set as arguments, we could use it:
variables:
VMS_USER: $(vmsUser)
VMS_PASS: $(vmsAdminPass)
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureFileCopy#4
inputs:
SourcePath: 'my/path'
azureSubscription: 'my-subscription'
Destination: 'AzureVMs'
storage: 'my-storage'
resourceGroup: 'my-rg'
vmsAdminUserName: $(VMS_USER)
vmsAdminPassword: $(VMS_PASS)
If your task does not support env: or arguments to pass secret variables explicitly into a script, you could not use it in the task.
You could check this thread for and the document for some more details.
Update:
My custom marketplace task uses Powershell (not yaml) and that is
where I would like to access it. How can I do that within powershell?
If you want to access the secret variables in the powershell script instead of the inline/powershell task, you could try to pass the value of secret variable through PowerShell parameters:
Param(
[String]$pass
)
if ($pass) { Write-Host "variable is NOT null" }
if (!$pass) { Write-Host "variable is null" }
Check this thread for some details.
Hope this helps.
How can I consume variables set in CI pipeline directly in CD pipeline?
Example:
If there are multiply variables declared in one group. How to access particular variable in CI/CD pipeline?
Also how to use variable groups for multiple keyvault's?
Thank you
Setting up global variables
YAML
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml
CLASSIC
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=classic
Using Variables
YAML
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch
CLASSIC
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=classic%2Cbatch
Examples:
Batch script: %VARIABLE_NAME%
PowerShell script: $env:VARIABLE_NAME
Bash script: $VARIABLE_NAME
Key Vault
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=classic#link-secrets-from-an-azure-key-vault
Based on Richard's answer, I managed to set the value of a variable in a variable group to a variable coming from a CI pipeline, and then to read that variable in a CD pipeline.
For that, it is necessary:
To have previously created the variable group, and the variable (its name identified by $(variableName). Let's assume its value would be stored in $(variableValue)).
To find the variable group ID (stored in $(variableGroupId)), which can be done by navigating on Azure DevOps to that variable group. The group ID will then be in the URL.
A Personal Access Token (PAT) with Read & Write access to group variables (called $(personalAccessToken) )
CI pipeline
- powershell: |
az pipelines variable-group variable update --group-id $(variableGroupId) --name $(variableName) --value $(variableValue)
displayName: 'Store the variable in a group variable'
env:
AZURE_DEVOPS_EXT_PAT: $(personalAccessToken)
Then all that's necessary, is to declare the variable group in the CD pipeline. If this variable group is called MyVariableGroup, it can be done in the following way:
CD pipeline
variables:
- group: MyVariableGroup
The variable that was previously set in the CI pipeline, will then be available in the CD pipeline.
I am new to VSTS and Azure Kubernetes. I am building a VSTS CD pipeline. I have added a Deploy to Kubernetes task in my pipeline. I am executing the get command and trying to store the output in the output variables (which is available at the bottom of the Deploy to kubernetes task). I have set the variable name.
I am trying to fetch the value of the above output variable. I have used command line task to set a value to the variable as mentioned below
echo '##vso[task.setvariable variable=myStatusVar;isSecret=false;]$(myvar)'
where myvar is the variable, which is set in the Deploy to kubernetes task as output variable.
After that in another command line task, I am trying to access the myStatusVar variable value, but when I execute the release pipeline, it shows the message:
myvar command not found
Can anyone let me know, how to use the output variable of the Deploy to kuberentes task of VSTS pipeline?
As stated in the comments your variable is 'exposed' as 'myvar.KubectlOutput'
the way you are able to use it in scripts differs based on type of scripting you are doing:
Batch script: %MYVAR_KUBECTLOUTPUT%
PowerShell script: $env:MYVAR_KUBECTLOUTPUT
Bash script: $MYVAR_KUBECTLOUTPUT
Azure Devops 'designer view': $(myvar.KubectlOutput)
For more details on this see the documentation on using variables in Azure DevOps: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch