Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An Azure pipeline unavoidably uses confidential information including username and password. These usernames and passwords which need to be protected from unauthorised access by defining them and alteration.

The way to achieve this in Azure DevOps is for your Pipeline to reference variables which are stored in a Variable Group which itself can be configure in one of two ways:

  • Define your variables in a Variable Group and protect selected (sensitive) variables by marking them as Secret, or

  • Protect all variables by storing them in as Secrets in an Azure Key Vault and

...

  • defining a Variable Group linked to that Key Vault.

See Variable groups for Azure Pipelines - Azure Pipelines | Microsoft Docs

Creating Secret Values in a Variable Group

...

Create a Variable Group Based on an Azure Key Vault

Create an Azure Key Vault

When your Key Vault ensure you attach an Access Policy which provides the Get and List permissions for Secrets.

...

For scenarios where you plan to use an Azure DevOps plan to facilitate DataStage upgrades we recommend creating a separate Key Vault for each of your Source and Target systems. For example, these are the key vaults we use when demonstrating upgrades from DataStage v11.5 to v11.7:

...

Create a Variable Group linked to a Key Vault

...

Next, back in Azure DevOps, go to the Library within your Project and create a Variable Group. Make sure you select the Link secrets from an Azure key vault as variables toggle.

Click the Pipeline permissions tab and ensure that you give your pipeline permission to access this Variable Group:

...

Grant an Azure Pipeline access to your Variable Group

When executing your Pipeline for the first time you may see a prompt like this.

...

Click View then grant access on the dialog which appears.

Reference

Creating Azure assets using the Azure CLI

Code Block
languagebash
# Login to Azure and configure CLI defaults
$> az login
$> az account set --subscription MyAzureSubscription
$> az config set defaults.location=mygeolocation

# Setup DevOps CLI defaults
$> az devops configure --defaults project=MyProject
$> az devops configure --defaults organization=https://dev.azure.com/MyOrganization 

# Create a Resource Group to group our MettleCI-related resources
$> az group create --name MettleCI

# Create key vault
$> az keyvault create \\n  --name MyDataStageEnvironment \\n  --resource-group MettleCI

# Set a secret in the vault
$> az keyvault secret set \\n  --name "MyPassword" \\n  --value "mysecretpassword" \\n  --vault-name MettleCI

# Create an Azure service principal called 'MettleCI'
$> az ad sp create-for-rbac --name MettleCI

...

Creating Secret Values in a Variable Group

...

Create a Variable Group Based on an Azure Key Vault

Create an Azure Key Vault

When your Key Vault ensure you attach an Access Policy which provides the Get and List permissions for Secrets.

...

For scenarios where you plan to use an Azure DevOps plan to facilitate DataStage upgrades we recommend creating a separate Key Vault for each of your Source and Target systems. For example, these are the key vaults we use when demonstrating upgrades from DataStage v11.5 to v11.7:

...

Create a Variable Group linked to a Key Vault

...

Next, back in Azure DevOps, go to the Library within your Project and create a Variable Group. Make sure you select the Link secrets from an Azure key vault as variables toggle.

...

Click the Pipeline permissions tab and ensure that you give your pipeline permission to access this Variable Group:

...

Grant an Azure Pipeline access to your Variable Group

When executing your Pipeline for the first time you may see a prompt like this.

...