Access Azure Repos Service Connection PAT from yml - azure-devops

I have a service connection created for Azure Repos in a separate Azure DevOps org using a PAT.
I would like to be able to access that PAT from a PowerShell script in my pipeline yml since that same PAT has access to a nuget feed in the external org as well and I want to restore a package using that PAT.
Is there any way to do this? Or do I need to create a variable with that same PAT and store the token twice?

Is there any way to do this? Or do I need to create a variable with that same PAT and store the token twice?
We can't access value of specific PAT via reading the service connection which uses the PAT for authorization. As the only way we use service connection is to copy the connection name/ID into pipeline as a value.
What's more, PAT can only be obtained and saved directly when you create it. After that you can only get PAT from where you saved, and you cannot find it from anywhere in Azure DevOps.
If you want to use that PAT in pipeline, you can save it in a variable group as a secret variable.
Here is the detailed steps:
1.Go to Pipelines -> Library -> Create a variable group -> Add a variable and change its type to secret -> Save.
2.Add the variable group to variables in YAML.
variables:
- group: {variable group}
Then you can get the value of PAT by PowerShell scripts.

Related

How to authenticate to Azure devops private package feed from .npmrc using jenkins pipeline

I have a react application whose deployment is done through Jenkins pipeline.
package.json uses a private feed present in Azure Devops Artifcats.
I want to authenticate the .npmrc present in gitlab , to azure devops using my jenkins pipeline.
Could you please advice How to do that?
I would like to know if there is a way to authenticate azure devops private feeds using service principle from a jenkins pieline.
I want to authenticate the .npmrc present in gitlab , to azure devops using my jenkins pipeline. Could you please advice How to do that?
You can add the .npmrc file to the same path as Package.json file.
Then you can add the following content in the .npmrc file
; begin auth token
//pkgs.dev.azure.com/orgname/projectname/_packaging/feedname/npm/registry/:username=xx
//pkgs.dev.azure.com/orgname/projectname/_packaging/feedname/npm/registry/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/orgname/projectname/_packaging/feedname/npm/registry/:email=npm requires email to be set but doesn't use the value
//pkgs.dev.azure.com/orgname/projectname/_packaging/feedname/npm/:username=xxx
//pkgs.dev.azure.com/orgname/projectname/_packaging/feedname/npm/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/orgname/projectname/_packaging/feedname/npm/:email=npm requires email to be set but doesn't use the value
; end auth token
You need to generate PAT in Azure DevOps, then transfer it to Based64 type and add it to .npmrc file to authenticate the feed.

I am getting an error called Either Value or Key vault must be provided and Secret Identifier is not in the correct format

I have azure key vault service in which we are maintaining secrets.
I have to deploy APIM service using ARM JOB in Azure devops release pipeline so I have added this job and added configured template.json and parameter.json and how to pass key vault as over ride parameter to ARM job in over ride parameters?. I tried with below option
I have added keyvault job/varaible group in azure pipelines then in over ride params i called $(keyvaultname/secretname) then saved it and ran the pipeline but i am geeting below issue
enter image description here
Please go to Pipelines -> Library -> create a variable group which contain the keyvalut.
Link the Variable group in your pipeline, make sure the variable of secret is listed.
In the ARM task, overwrite the parameters with "$(var)" name.
PFA .
I have created Variable group and then came back to release pipeline arm job then in the override parameter .
Arm job over ride parameter
Variable group

What PAT scope to pick in azure devops to get the yaml schema?

I'd like to use the following endpoint:
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/yamlschema/get?view=azure-devops-rest-6.0
I.e.
https://dev.azure.com/{org}/_apis/distributedtask/yamlschema
For that I need to create a PAT with the appropriate access, only the docs do not list which scope I need to enable.
What PAT scope to pick in azure devops to get the yaml schema?
Based on my test , you could grant the Token Administration(Read & manage) or Tokens(Read & manage) permission to the PAT.
Then the Rest API could work fine.

Powershell script that can be added to a release pipeline for fetching variables from key vault

I want to use azure key vault secrets in azure devops release pipeline.could someone help me with powershell script in which I can define these variables and pass it in pipeline.
Powershell script that can be added to a release pipeline for fetching variables from key vault
You could configure a Variable Group to connect to an Azure Key Vault:
Go to "Pipelines" and then "Library" and "Add variable group".
Link secrets from an Azure key vault
Configure a Pipeline to make use of the new Variable Group
Then, whatever variables you have in your variable group can be accessed from your build pipe as $(VariableNameHere) including the key vault.
You could check the great document for some more details.
Hope this helps.

Generate Key Vault Secrets automatically

We need to create and Key Vault and populate it (or generate) with secrets, then reference them as passwords to SQL servers (PaaS) at the next build step. What would be the best approach to do that?
There are many ways to create/update Azure Key Vault, such as Azure PowerShell, Azure CLI, REST API, also there are Azure PowerShell and Azure CLI tasks in VSTS build/release. So do it with Azure PowerShell or Azure CLI.
To create/update the variable in build/release, you can use Logging Command (##vso[task.setvariable]value), then the variable can be used in subsequent task.
On the other hand, if you just want the variable secret, you just need to add a build or release variable and click lock icon to set the variable secret.