geverghe
commented
4 years ago For clarification - there are no documented APIs to support this and we are working with the stakeholder to get an estimate on timeline. Will keep this thread posted.
Open atbagga opened 5 years ago
geverghe
commented
4 years ago For clarification - there are no documented APIs to support this and we are working with the stakeholder to get an estimate on timeline. Will keep this thread posted.
atbagga
commented
4 years ago For those blocked on this can use the az devops invoke command to automate this if required using the undocumented API (API signature can change in future).
Here is the sample command with Json Request-
az devops invoke --http-method post --area distributedtask --resource variablegroups --debug --in-file .\vgroup_azure_rm.json --encoding ascii --route-parameters project=atbagga --api-version 5.0-preview
{
"description": "vgroup description",
"name": "vgroup1",
"providerData": {
"serviceEndpointId": "5763599f-0a8b-403a-a4ca-dsdsdsd4b6",
"vault": "MyAzureKeyvaultName"
},
"type": "AzureKeyVault",
"variables": {
"VARIABLE_NAME": {
"isSecret": true,
"value": "",
"enabled": true,
"contentType": "",
"expires": null
}
}
}ServiceEndpoint Id is the AzureRm Service endpoint id which can be created using az devops service-endpoint command.
CharlieStokes
commented
3 years ago For those blocked on this can use the
az devops invokecommand to automate this if required using the undocumented API (API signature can change in future).Here is the sample command with Json Request-
az devops invoke --http-method post --area distributedtask --resource variablegroups --debug --in-file .\vgroup_azure_rm.json --encoding ascii --route-parameters project=atbagga --api-version 5.0-preview{ "description": "vgroup description", "name": "vgroup1", "providerData": { "serviceEndpointId": "5763599f-0a8b-403a-a4ca-dsdsdsd4b6", "vault": "MyAzureKeyvaultName" }, "type": "AzureKeyVault", "variables": { "VARIABLE_NAME": { "isSecret": true, "value": "", "enabled": true, "contentType": "", "expires": null } } }ServiceEndpoint Id is the AzureRm Service endpoint id which can be created using
az devops service-endpointcommand.
This worked for me, however it doesn't allow you to associate a service connection with the the variable group to access they key vault. Looks like there hasn't been an update to the cli yet, does anyone know if this is possible?
yradsmikham
commented
3 years ago Any updates on this feature?
lpalerm
commented
3 years ago @geverghe > For clarification - there are no documented APIs to support this and we are working with the stakeholder to get an estimate on timeline. Will keep this thread posted.
Any updates?
balazzii
commented
2 years ago Any update on this feature?
brian-duffy
commented
2 years ago +1
cT-m00cat
commented
2 years ago please give us this. would be incredibly useful for CRM solution/portal deployment
cT-m00cat
commented
2 years ago plus one
daguadofnttdata
commented
2 years ago +1
frnode
commented
2 years ago +1 Do you have any information about a future implementation?
cT-m00cat
commented
2 years ago bump +4
DanielGoehler
commented
1 year ago +1
rafaelvelosoAZ
commented
1 year ago +1
mddavisjha
commented
1 year ago We definitely need this, as it's just about the last thing we can't automate for our pipeline creation. To have secrets in the keyvault, we have to manually go in and link the variable group to the keyvaults.
sderrico-descartes
commented
1 year ago +1 Thank you!
pavel-rudenko
commented
5 months ago And what about updating already existing VG that linked with KeyVault, adding existing secrets to variable group in particular? While this article says that PUT method should be used, modification to your command returns the following:
cli.azure.cli.core.azclierror: The requested resource does not support http method 'PUT'.
az_command_data_logger: The requested resource does not support http method 'PUT'.Full CLI command:
az devops invoke --http-method put --area distributedtask --resource variablegroups --debug --in-file ./body3.json --encoding ascii --route-parameters project=redacted --api-version 7.1-preview#body3.json
{
"name": "redacted",
"providerData": {
"serviceEndpointId": "redacted",
"vault": "redacted"
},
"type": "AzureKeyVault",
"variableGroupProjectReferences": [
{
"projectReference": {
"id": "redacted",
"name": "redacted"
},
"name": "redacted",
"description": ""
}
],
"variables": {
"redacted": {
"isSecret": true,
"value": "",
"enabled": true,
"contentType": "",
"expires": null
}
}
}Invoking POST method to existing keyvault linked variable group results in:
cli.azure.cli.core.azclierror: Variable group 'vgsecretlookup-secret2' already exists.
az_command_data_logger: Variable group 'vgsecretlookup-secret2' already exists.Please advice :)
luismesa-io
commented
4 months ago I do this with POST, exactly as the suggested az devops invoke comment states, and I add
"authorized": true,
"variableGroupProjectReferences": [
{
"projectReference": {
"id": "redacted",
"name": "redacted"
},
"name": "redacted",
"description": ""
}
],
StylezDevops
commented
4 months ago I do this with POST, exactly as the suggested
az devops invokecomment states, and I add"authorized": true, "variableGroupProjectReferences": [ { "projectReference": { "id": "redacted", "name": "redacted" }, "name": "redacted", "description": "" } ],
And you are then able to create/update/link variable groups to keyvault without manual intervention?
Variable group linked to Azure Key Vault keys would be a great addition as well
Originally posted by @LaurentLesle in https://github.com/Azure/azure-devops-cli-extension/issues/639#issuecomment-498039169