We Have Automated scripts that we would like to build and Test on Azure DevOps but our pipeline cannot run our Test Scripts on Azure
We have a Database Service Account that we want to configure on Azure but we don't know how to go about it. Please assist.
Here is a well explained video (by Hassan Habib from Microsoft) on exactly how to run a console app (you create) in an Azure Pipeline that securely gets credentials to immediately do stuff in Azure (https://youtu.be/ht0xhQyF1x4?t=1688)
He basically, in a handful of minutes shows exactly how to:
Link Pipeline Variables to KeyVault Secrets, so when accessed, the variables do a get() from KeyVault and return that value.
Securely links Pipeline Variables to Azure Environment Variables.
As a step in the release pipeline the console app reads the Azure Environment Variables to get credentials to do stuff in Azure.
In his case he created an Azure Resource Group in Azure.
In your case if I’m understanding correctly. You could possibly make a simple console app that runs in the pipeline, that gets creds\connections strings for your database to do whatever in the DB and could possibly test your scripts.
we have azure devops pipelines to build and deploy various projects.
Rccently, we wanted to use the "azureblog file copy" pipeline to copy some files to a blob storage.
This needs write access to the storage account over in azure.
Our administrator says that the pipeline runs as whoever manually runs the pipeline. If this is true, we would have to give all devs and users read/write access to the blog storage, which would be crazy.
I assume he is wrong, and that pipelines run as a specific designated user no matter how they were kicked off. The question is, how to find out what this user is for a given pipeine?
The "edit pipeline" has a security tab near the top, adn this lists a but of "Azure Devops groups", which are presumably groups who have the ability to run the pipelines.
But where is the pipeline user defined?
which user do Azure devops pipelines run as?
It depends on the context in which you are discussing the question.
If you mean inside a pure DevOps service, then I can tell you that the user that the pipeline runs on is not the one who triggers the pipeline (which is the case with native DevOps services by default, unless you install some weird extension or have a problem with the pipeline special design), but this identity:
<Project Name> Build Service Account
'run as someone' is just a property of pipeline run. Pipeline run as 'Build Service Account'(On the DevOps side), If you need a pipeline to download or upload an artifact, you can clearly feel this. If the account mentioned above has no permission, you can't do anything.
If you mean the user's operations based on the Azure side, then I can tell you that for native DevOps service, the 'user' that the pipeline performs operations on the Azure side is not the person who triggers the pipeline. The pipeline of DevOps service consists of multiple tasks, and tasks generally interact with other services through service connection (you can find this in Project settings).
There are many types of service connections. When interacting with services in Azure, this type is generally used:
Azure Resource Manager -> Service principal
When you create a service connection of this type on the DevOps side, Azure will also create an AAD app related to this service connection, and this ADD app corresponds to a service principal in Azure. In Azure, permissions are assigned based on service principals or users, and your DevOps pipeline's operations to Azure are based on this service principal and have nothing to do with anything else in DevOps. On the Azure side, this service principal can be considered as an Azure-side 'avatar' of the tasks of the DevOps pipeline.
If you are interacting with Azure through pure code/pure script, then please follow the logic of the script/code.
Our administrator says that the pipeline runs as whoever manually runs
the pipeline. If this is true, we would have to give all devs and
users read/write access to the blog storage, which would be crazy.
For native DevOps service, of course not. Unless this pipeline has a special design.
I believe the pipeline runs as the "agent". Who the "agent user" is will depend on, first, whether you've chosen a "Microsoft-hosted" or "self-hosted" agent to run your pipeline.
When running pipelines in Azure DevOps that are directly working with Azure Resources you need an Azure Resource Manager service connection. The credentials used to make the service connection are the credentials the pipeline will use when it runs.
You can have your administrator provide you with an Azure AD account that has the permissions you need and then use that Azure AD account to create the service connection for the pipeline. Once you have created the service connection you can use the ResourceID of that connection in place of you azureSubscription.
Here is the link to the Microsoft documentation on creating a service connection.
Here is the link to the Microsoft documentation on the Azure file copy task. To verify you can use the service connection in place of the azureSubscription.
we have automated the following steps using azure devops
A Release pipeline which creates a website in azure and the next step which deploys the code, all is well and working so far
The next step that we need to do is create a Azure SQLDB and and an Azure Storage Account in the release pipeline and then configure these values in the appsettings.json file
Questions
Creating the Storage account is the easy part, but how do we get the storage account key back in the pipeline and associate that value in the appsetting.json file ?
Similarly for the SQLDB how do we get the IPAddress and add it in the exclusions list.
and also it you could point us to any documentation on this
how do we get the storage account key back in the pipeline.
You can use the Azure CLI az storage account keys to get storage account keys.
I want to use azure key vault secrets in azure devops release pipeline.could someone help me with powershell script in which I can define these variables and pass it in pipeline.
Powershell script that can be added to a release pipeline for fetching variables from key vault
You could configure a Variable Group to connect to an Azure Key Vault:
Go to "Pipelines" and then "Library" and "Add variable group".
Link secrets from an Azure key vault
Configure a Pipeline to make use of the new Variable Group
Then, whatever variables you have in your variable group can be accessed from your build pipe as $(VariableNameHere) including the key vault.
You could check the great document for some more details.
Hope this helps.
We need to create and Key Vault and populate it (or generate) with secrets, then reference them as passwords to SQL servers (PaaS) at the next build step. What would be the best approach to do that?
There are many ways to create/update Azure Key Vault, such as Azure PowerShell, Azure CLI, REST API, also there are Azure PowerShell and Azure CLI tasks in VSTS build/release. So do it with Azure PowerShell or Azure CLI.
To create/update the variable in build/release, you can use Logging Command (##vso[task.setvariable]value), then the variable can be used in subsequent task.
On the other hand, if you just want the variable secret, you just need to add a build or release variable and click lock icon to set the variable secret.