I have my username and password stored in Vault server. While using jenkins pipeline I want to use those credentials in my jenkinspipeline file to run adn ansible play that will use those credentials on the target machine to log in and perform tasks. How can i do that in jenkinsfile ?
Well I could figure out... the official documentation itself is wrong.
Correct usage is described here: https://issues.jenkins-ci.org/browse/JENKINS-45685
Related
We are trying to connect to Microsoft SQL Server installed in an Azure VM (IaaS) from Datastage using API.
Currently, we are using JDBC connector to connect to Microsoft SQL Server (IaaS) using a service account and its password. But, on a new server, we have to reset the password every three months in Azure. Also, same service account is being used by other applications.
We have to create the change request to reflect the new password in the datastage PROD environment. Also, we are getting separated service account to use in Datastage.
To avoid the password reset or lock issue, we are planning use API to get the password for connecting to the DB.
API DB connection is working in Alteryx. Can you please let us know is it possible to connect and ways to do so in Datastage 11.7.1.2. Also, please let me know any other feasible solution for this problem, if the API connection is not possible.
I assume you know how to fetch the password via command line interface from your cloud service.
Store the password as datastage environment variable which is then used in the job.
Use a shell script to update the password. In the script, check first if the password has changed. If it did, run the dsadmin -envset command to set the environment variable to a new value. You might need to encrypt the new value using the encrypt command located in .../ASBNode/bin. Call the script every time before running the parallel job.
You should test if the change of an environment variable will be recognized by the job just in time when the script and the job are called by the same sequence. It might not work if the param is passed-through by the sequence.
Please read the IBM docs about the commands I mentioned.
I am creating Yaml Pipeline to deploy AAS.
Now I want to know how to add database credentials for AAS while deploying. the Source is Azure sql db and it doesn't have username/pw. It is configured using AAD.
I would like to know various options of configuring this as source for AAS in Powershell script. I would like to avoid using username and p/w if possible.
Currently, AAD credentials are not supported in AAS. You have to connect using a username and password.
Currently I am using keycloak on postgres db. and the db creds are provided to environment files. Wanted to know how I can make keycloak obtain the db creds from keyvault something like Azure keyvault ? Is there any documentation / guideline around it?
As per the official documentation ,some part already done but look like still work in progress
To use a vault, a vault provider must be registered within Keycloak.
It is possible to either use a built-in provider described below or
implement your own provider. See the Server Developer Guide for more
information.
To obtain a secret from a vault instead of entering it directly, enter the following specially crafted string into the appropriate field: ${vault.entry-name} where you replace the entry-name with the name of the secret as recognized by the vault.
https://www.keycloak.org/docs/latest/server_admin/#_vault-administration
https://issues.redhat.com/browse/KEYCLOAK-3205
We're trying to get our first containerized build running in Azure Devops Server.
The build runs fine in the container, but, unfortunately, it needs to access resources on another server. As such, I need this to be running as a domain user (GMSA account will work) so that it can authenticate the network share to access those resources.
I can't seem to find any documentation on running a containerized build as a specific user.
Can anyone point me to how to setup the yml for passing credentials, or gmsa account? That would be great.
Thanks in advance
Alright... so I figured it out.
First you have to create a credential spec
In powershell New-CredentialSpec -AccountName GMSAAccountName
Then add this in the yml file beneath the container declaration:
options: --security-opt "credentialspec=file://Domain_GMSAAccountName.json"
That was it... and now it works.
Have you tried using PAT(Personal Access Token) to run in agent build?
When setup asks for your authentication type, choose PAT. Then paste the PAT token you created into the command prompt window.
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops#permissions
I'm trying to run Powershell scripts in my Team City build steps.
The scripts use WebClient to connect to Team City's REST API; currently, I have to login to Team City and hardcode a username and password as arguments in my Powershell build step.
I'm wondering if anyone knows a way to pass the credentials I am currently using to authenticate to Team City in my Powershell scripts without hardcoding any passwords
If you only need read access in the REST api (ie you don't want to do POST/PUT/DELETE, only GET) then use the teamcity generated user name and password.
This username/password pair is generated per each build and valid only during the build run. This is how you can access them in your powershell script:
read the $env:TEAMCITY_BUILD_PROPERTIES_FILE environment variable which holds the full path to the build properties file that are generated/valid for this build
this file is a simple key=value java prop file. You need to parse out the values for teamcity.auth.userId and teamcity.auth.password properties. Or better yet, parse all the props always in your script init phase and put them into a hash table in your powershell script.
If you need write access to the REST api, you can't use this uid/pwd pair. For this I am using a keychain on osx and a keepass db on windows. Keepass has a nice .net api that you can access from powershell. Create an new keepass db, make it unlockable with a key, not with a password, make sure your user running the build agent has access to this key and no one else, then use keepass api to unlock the db, read out your teamcity admin account and password who can do POST/PUT/DELETE in the rest api.
Thanks for the answer but we wound up providing the username and password as build parameters.
TeamCity's built in password protection helped us out here.
In this way, we're using one account to run our powershell scripts but we can still see who kicked off the build from the credentials they used to login to the web UI.
So we maintained traceable responsibility and stopped the constant entering of username and passwords.
More info: confluence.jetbrains.com/display/TCD7/Typed+Parameters