I've declared a user capability named "MyCapability" in a TFS 2015 build agent with a path as value. How can I get this value in the powershell script of my build task ?
$env:MyCapability and $MyCapability don't work.
You cannot access the capabilities from PowerShell through a variable unfortunately.
You could use the Rest Client to connect back to TFS and read the Build Agent as well as the Build Definition to read out the configured values. This will require access to the OAuth token, which can be configured through a checkbox on the Build Definition's configuration page.
Related
I am trying to configure the Azure Artifacts Credential Provider to allow me to connect to Azure DevOps and publish NuGet packages to the Artifacts feed. I have installed the credential provider on my build server. However every time that I run the build I get the following error:
Am I supposed to pass in a PAT to the Credential Provider or is the account that is running the build need to have access to Azure DevOps so that it can generate credentials? The documentation was a little unclear to me about how this works. My TeamCity instance is a little out of date so maybe I need to work on getting that upgraded first.
Please, add NuGet Credentials Provider build feature for your build configuration. Specify an URL for the feed (the same way as you did in NuGet Publish build step), a valid username + PAT (not a password in there).
The accepted answer seems to no longer be working. On TeamCity 2019.1.4 running on Windows Server 2016 and using .NET Core 2.2.105:
[push] WARNING: The credential plugin model used by 'C:\TeamCity\buildAgent\plugins\nuget-agent\bin\credential-provider\CredentialProvider.TeamCity.exe' is deprecated. Please contact the provider of the plugin for an alternative. More information about the recommended plugin model can be found at 'https://aka.ms/nuget-cross-platform-authentication-plugin'.
[17:18:31][push] Please provide credentials for: https://pkgs.dev.azure.com/org/project/_packaging/feed/nuget/v3/index.json
[17:18:31][push] Unable to load the service index for source https://pkgs.dev.azure.com/org/project/_packaging/feed/nuget/v3/index.json.
[17:18:31][push] Response status code does not indicate success: 401 (Unauthorized).
Manually installing and running the https://github.com/microsoft/artifacts-credprovider works from the command line if I log in to the server and set the env vars for non-interactive use, but does not work within the context of a TeamCity Build job.
Is there a newer TeamCity runner than can handle authentication for dotnet nuget push to Azure Artifacts?
I'm developing Release pipeline for deploying artefacts using TFS 2017 Update3 Release Management. There are various tasks like "Windows Machine File Copy" and "Run Power Shell on Target machines" which needs admin credentials to be passed as input parameters. These admin credentials have Administrative access on target nodes. I'm using Windows service accounts for these. We have an organisational security policy to rotate passwords every month.
With that in mind, it is hectic to update hundreds of TFS release definitions for new password every month.
Do you have a better idea to handle this? Please give detailed answers.
Thanks in advance.
You could use a variable group to store values that you want to make available across multiple build and release definitions. Variable groups are defined and managed in the Library tab of the Build & Release hub. In this way, you can just edit the variable group:
https://learn.microsoft.com/en-us/vsts/pipelines/library/variable-groups?view=vsts
If you want to automate the process you use the solution defined here. This details how to use the TFS API to poke the definitions.
Alternatively you could create your own PowerShell task that sources the password from some alternative source like Azure Key vault or even hard code it into the json task definition itself (don't do this).
You can vote to improve this story here.
I wrote a custom version of the PowerShell task that uses the identity of the agent as part of the WinRM session which greatly simplifies our release definition process.
We run our E2E automation test on build agent (V1.105.xxx) after the build is successfully. The test code leverage Visual studio Unit Test framework to access VSTS work items to load test data using data driven approach (each test case method linked to one test case work item):
[DataSource("Microsoft.VisualStudio.TestTools.DataSource.TestCase","https://myaccount.visualstudio.com/DefaultCollection;MyProject";, "1111111", DataAccessMethod.Sequential)
And we run our V1.x build agent in interactive mode with PAT auth as follows:
C:\agent\agent\VsoAgent.exe /Login:e2etest,xxxxxxxxxxxxxxxxxxxx;AuthType=PAT
But we could not find a way run V2.x agent with PAT auth so as to access the VSTS work items.
Is it still supported in V2.x agent?
When use PAT to configure build agent, the PAT token is used only for the initial configuration of the agent. More information, you can refer to Communication.
Regarding interactive mode, it will prompt the login window to let you authentication when configure or run build agent if the cached account can’t access vsts or there isn’t cached account. You need to change the permission for this user.
You can try to set Read permission to deny for this user in Version Control admin page, the queue build that need to download that source and check the result, the build will not start anymore.
Summarize the issue and solution:
Per starain's comments, in old V1.x agent, regarding the access to VSTS work items from our testing code, it is nothing related to the PAT token we used to run the agent in interactive mode. Actually we run the agent using local admin account of the VM, which we ever used to connect to VSTS, and the credential was cached. The testing code just used that cached credential to access VSTS work items.
So the solution for V2.x is simple, just run the agent service using the local admin account. No need to run in interactive mode.
Thanks starain's great help!
I am writing a Powershell script as part of a Visual Studio Team Services build, this build uses a hosted build controller. The script is intended to check out a file, make changes then check it back in.
In the script I am trying to invoke the tf command to create a new workspace but I'm having authentication issues. The command
& $tf vc workspace /new $tempWorkspaceName /collection:https://mycollection.visualstudio.com/
produces the error:
TF30063: You are not authorized to access https://mycollection.visualstudio.com/.
How can I access TFS from my Powershell script without embedding logins or passwords in the script? Can I access TFS within the context of the build agent, which itself logs in to TFS? Or is there another way I should be doing this?
Note that I haven't used the TFS Power Tool cmdlets as it is a hosted build server. Using the TFS RestAPI also doesn't appear to be an option as there is no facility to check a file in or out.
Check Allow Scripts to Access OAuth Token option of your build defition
Append /noprompt /loginType:OAuth /login:.,$(System.AccessToken) to your TF command (arguments)
About TF Command, you can check this article.
Suppose that there is a TFS server with some kind of WF build activity installed in it. For example, and this is just an example, suppose that the activity takes the build output, decrypts credentials stored somewhere on the server, and performs an operation that requires the decrypted credentials: maybe it sends copies of the build output over the network to some computer that clients are not able to access directly.
Would TFS clients need to have local copies of the build activity that performs that operation? Or do they just push their code changes to the server and let the TFS server decide how to build the code and what to do with the build output? Or do clients have some control over the tools TFS uses to build the code and the operations it performs on the build output? And back to the example I provided, if the user is required to provide the credentials for the post-build action, is the implementer of the activity responsible for ensuring that the credentials are properly secured as they travel from the client to the server or does TFS take care of that?
Once created you can put the Team Build Custom Build Activities in the custom binaries in source control and configure the custom binary path of the Build Controller. TFS will then automatically grab the binaries when such a build gets executed.
As for supplying credentials to the build securely, there is nothing that TFS will do to help you with that. Though communication to TFS can be secured using SSL (configure SSL security on the TFS server), the build parameters are also stored in the TSF database in plain text format.
Your custom Activity and the designer you use to edit the values could provide some form of encryption of values, which would make sure they're not plain text stored in the server database, but you'll probably have to use a static key for this to work.
Best solution is to run the Build Agent under the user credentials you're after, that way the build agent itself has the proper permissions and there would be no transferring of any credentials or secrets over the wire, since Build agents will use NTLM or Kerberos to authenticate.
The build occurs on a Build Server (with the TFS Build Agent installed). Any custom activities are checked into TFS, and in the Build Controller properties you tell it where that directory is. The Build Controller ensures all assemblies in that directory are downloaded to each Build Agent as part of the build process.