How secure are the Azure Pipelines hosted Agents and can they be used for more sensitive tasks like code signing?
Consider using container jobs to run your builds. This ensures that everything is done within a disposable container and removed once your task is over. You can inject secrets via Azure KeyVault.
Related
Let's say I have a YAML pipeline, releasing to dev and prod, and I want to set an approval before releasing to production.
Currently, this can be done via Environments approvals (MS Docs - Define approvals and checks).
However, this seems to work only for virtual machines.
How can I set an approval when releasing to Azure PaaS components, e.g. Azure function or Azure App Service?
To achieve this, go to service connection that is used to connect to cloud env, and set the approval there.
Project settings -> service connections -> select your connection (prod) -> click the three dots -> approvals and checks.
In your pipeline you need to define a deployment job, specifying an Environment which is configured to require an Approval.
We're using yaml pipelines with environment agents installed on local infrastructure. Each Environment is backed by a Deployment Pool which is implicitly created by AzDO. The pools reside at the org level.
Every time someone adds an environment to a pipeline it requires the project collection admin to authorize the pipeline. The devs cannot authorize the pipeline because they don't have permission at the org level. Image below shows prompt received.
Is there anyway to simplify this so the PCA is not required to authorize every on-prem pipeline?
No, we do not have any methods to skip the permit from PCA, when a pipeline is trying to target to an environment at the first time.
On the Organization Settings and Project Settings, we also do not have any built-in options to defaultly permit all new environments on all pipelines.
This is aiming to prevent the environments from being abused.
We have a set of privileged operations which we would like to secure. We are considered pulling up a custom build agent and deploy the privileged operations to this agent. Which custom tasks a Azure Pipelines user would be able to execute these operations. It should not be allowed to run arbitrary custom scripts through pipeline tasks such as the Az Cli task, or PowerShell task.
Microsoft is stating in the documentation that it is possible to control the available tasks for a custom build agent. Refer to https://learn.microsoft.com/en-us/azure/devops/pipelines/security/misc?view=azure-devops#control-available-tasks
Unfortunately the documentation is not clear on how this can be configured.
How can I configure this?
You can set it on organization level in the Settings tab
I'm using Azure Pipeline Agents on Machines and have those Machines in a Deployment Group and I have a DevOps Release which does some things on each machine. If the Azure Pipeline Agent isn't running on a machine at release time, the release will skip over this machine (see below image). How can I know which machines were skipped?
!]1
How can I know which machines were skipped?
The easiest way to check is that you can manually check the detailed deployment log.
For example:
Then you could get the skipped agent name.
On the other hand, you could also use the Rest API : Releases - Get Release. In the API response, you could check the Job Status and the Agent name.
Here is sample:
GET https://vsrm.dev.azure.com/{organization}/{project}/_apis/release/releases/{releaseId}?api-version=6.0
I'm new to Azure DevOps pipeline, currently nothing works,
I am using Azure DevOps Service with the hosted agent from Azure. Can I some how keep that VM that runs Azure DevOps pipeline running? I want to test my azure-pipeleines.yml file in the faster way via access this VM by terminal.
You cannot access Microsoft-hosted agents via terminal. They are assigned for your build and after they go to pool again to use by someone else.
If you want to access to agents you must have your own. You can create them on your own Azure VM's for instance.
He is right, hosted agents are just containers which are disposed when the pipeline is done. if you want to debug, like checking files or what it's not working, you need to have a self hosted agent. it can be on your own computer for debugging and you use the hosted one during normal processing