An Azure pipeline unavoidably uses confidential information including username and password. These need to be protected from unauthorised access by defining them as Secrets in an Azure Key Vault and allowing Azure to access them at runtime.
# Login to Azure and configure CLI defaults $> az login $> az account set --subscription MyAzureSubscription $> az config set defaults.location=mygeolocation # Setup DevOps CLI defaults $> az devops configure --defaults project=MyProject $> az devops configure --defaults organization=https://dev.azure.com/MyOrganization # Create a Resource Group to group our MettleCI-related resources $> az group create --name MettleCI # Create key vault $> az keyvault create \\n --name MyDataStageEnvironment \\n --resource-group MettleCI # Set a secret in the vault $> az keyvault secret set \\n --name "MyPassword" \\n --value "mysecretpassword" \\n --vault-name MettleCI # Create an Azure service principal called 'MettleCI' $> az ad sp create-for-rbac --name MettleCI
Create a Key Vault
When your Key Vault ensure you attach an Access Policy which provides the Get and List permissions for Secrets.
For scenarios where you plan to use an Azure DevOps plan to facilitate DataStage upgrades we recommend creating a separate Key Vault for each of your Source and Target systems. For example, these are the key vaults we use when demonstrating upgrades from DataStage v11.5 to v11.7:
Next, back in Azure DevOps, go to the Library within your Project and create a Variable Group. Make sure you select the Link secrets from an Azure key vault as variables toggle.
Click the Pipeline permissions tab and ensure that you give your pipeline permission to access this Variable Group:
Executing Pipeline