We need to create and Key Vault and populate it (or generate) with secrets, then reference them as passwords to SQL servers (PaaS) at the next build step. What would be the best approach to do that?
There are many ways to create/update Azure Key Vault, such as Azure PowerShell, Azure CLI, REST API, also there are Azure PowerShell and Azure CLI tasks in VSTS build/release. So do it with Azure PowerShell or Azure CLI.
To create/update the variable in build/release, you can use Logging Command (##vso[task.setvariable]value), then the variable can be used in subsequent task.
On the other hand, if you just want the variable secret, you just need to add a build or release variable and click lock icon to set the variable secret.
Related
We Have Automated scripts that we would like to build and Test on Azure DevOps but our pipeline cannot run our Test Scripts on Azure
We have a Database Service Account that we want to configure on Azure but we don't know how to go about it. Please assist.
Here is a well explained video (by Hassan Habib from Microsoft) on exactly how to run a console app (you create) in an Azure Pipeline that securely gets credentials to immediately do stuff in Azure (https://youtu.be/ht0xhQyF1x4?t=1688)
He basically, in a handful of minutes shows exactly how to:
Link Pipeline Variables to KeyVault Secrets, so when accessed, the variables do a get() from KeyVault and return that value.
Securely links Pipeline Variables to Azure Environment Variables.
As a step in the release pipeline the console app reads the Azure Environment Variables to get credentials to do stuff in Azure.
In his case he created an Azure Resource Group in Azure.
In your case if I’m understanding correctly. You could possibly make a simple console app that runs in the pipeline, that gets creds\connections strings for your database to do whatever in the DB and could possibly test your scripts.
we have automated the following steps using azure devops
A Release pipeline which creates a website in azure and the next step which deploys the code, all is well and working so far
The next step that we need to do is create a Azure SQLDB and and an Azure Storage Account in the release pipeline and then configure these values in the appsettings.json file
Questions
Creating the Storage account is the easy part, but how do we get the storage account key back in the pipeline and associate that value in the appsetting.json file ?
Similarly for the SQLDB how do we get the IPAddress and add it in the exclusions list.
and also it you could point us to any documentation on this
how do we get the storage account key back in the pipeline.
You can use the Azure CLI az storage account keys to get storage account keys.
I have a service connection created for Azure Repos in a separate Azure DevOps org using a PAT.
I would like to be able to access that PAT from a PowerShell script in my pipeline yml since that same PAT has access to a nuget feed in the external org as well and I want to restore a package using that PAT.
Is there any way to do this? Or do I need to create a variable with that same PAT and store the token twice?
Is there any way to do this? Or do I need to create a variable with that same PAT and store the token twice?
We can't access value of specific PAT via reading the service connection which uses the PAT for authorization. As the only way we use service connection is to copy the connection name/ID into pipeline as a value.
What's more, PAT can only be obtained and saved directly when you create it. After that you can only get PAT from where you saved, and you cannot find it from anywhere in Azure DevOps.
If you want to use that PAT in pipeline, you can save it in a variable group as a secret variable.
Here is the detailed steps:
1.Go to Pipelines -> Library -> Create a variable group -> Add a variable and change its type to secret -> Save.
2.Add the variable group to variables in YAML.
variables:
- group: {variable group}
Then you can get the value of PAT by PowerShell scripts.
I want to use azure key vault secrets in azure devops release pipeline.could someone help me with powershell script in which I can define these variables and pass it in pipeline.
Powershell script that can be added to a release pipeline for fetching variables from key vault
You could configure a Variable Group to connect to an Azure Key Vault:
Go to "Pipelines" and then "Library" and "Add variable group".
Link secrets from an Azure key vault
Configure a Pipeline to make use of the new Variable Group
Then, whatever variables you have in your variable group can be accessed from your build pipe as $(VariableNameHere) including the key vault.
You could check the great document for some more details.
Hope this helps.
Am working on the rotation of keys in Azure Key Vault through Azure Automation. I did it by using Azure Runbooks in azure automation successfully. But, I want to get an alert of the keys which is going to expire before expired and then run my runbook to rotation of those keys automatically. The entire process to be done automatically with the help of azure automation and VSTS-Build. Please, give me some suggestions for this requirement.
First, you can apply a schedule for the runbook back directly: Key rotation using Azure Automation
Secondly, with VSTS, you can schedule build to do it through PowerShell
A blog that can help you: Expiry Notification for Azure Key Vault Keys and Secrets