Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

An Azure pipeline unavoidably uses confidential information including usernames and passwords which need to be protected from unauthorised access and alteration.

The way to achieve this in Azure DevOps is for your Pipeline to reference variables which are stored in a Variable Group which itself can be configure in one of two ways:

  • Define your variables in a Variable Group and protect selected (sensitive) variables by marking them as Secret, or

  • Protect all variables by storing them in as Secrets in an Azure Key Vault and defining a Variable Group linked to that Key Vault.

See Variable groups for Azure Pipelines - Azure Pipelines | Microsoft Docs

Creating Secret Values in a Variable Group

Create a Variable Group Based on an Azure Key Vault

Create an Azure Key Vault

When your Key Vault ensure you attach an Access Policy which provides the Get and List permissions for Secrets.

For scenarios where you plan to use an Azure DevOps plan to facilitate DataStage upgrades we recommend creating a separate Key Vault for each of your Source and Target systems. For example, these are the key vaults we use when demonstrating upgrades from DataStage v11.5 to v11.7:

Create a Variable Group linked to a Key Vault

Next, back in Azure DevOps, go to the Library within your Project and create a Variable Group. Make sure you select the Link secrets from an Azure key vault as variables toggle.

Click the Pipeline permissions tab and ensure that you give your pipeline permission to access this Variable Group:

Grant an Azure Pipeline access to your Variable Group

When executing your Pipeline for the first time you may see a prompt like this.

Click View then grant access on the dialog which appears.

Reference

Creating Azure assets using the Azure CLI

# Login to Azure and configure CLI defaults
$> az login
$> az account set --subscription MyAzureSubscription
$> az config set defaults.location=mygeolocation

# Setup DevOps CLI defaults
$> az devops configure --defaults project=MyProject
$> az devops configure --defaults organization=https://dev.azure.com/MyOrganization 

# Create a Resource Group to group our MettleCI-related resources
$> az group create --name MettleCI

# Create key vault
$> az keyvault create \\n  --name MyDataStageEnvironment \\n  --resource-group MettleCI

# Set a secret in the vault
$> az keyvault secret set \\n  --name "MyPassword" \\n  --value "mysecretpassword" \\n  --vault-name MettleCI

# Create an Azure service principal called 'MettleCI'
$> az ad sp create-for-rbac --name MettleCI

  • No labels

© 2015-2024 Data Migrators Pty Ltd.