Closed docbyte86 closed 7 months ago
Hi @docbyte86 ,
Maybe I don't understand your use case but you just have to create a service connection then used it in the task.
You can use the Azure DevOps helper to get the yaml settings.
Hi @Fizcko ,
let me try to explain:
Currently we are storing the credentials in our variable group in the pipeline libraries and can use them for accessing the vault via azure pipeline templates by using $(VARIABLE)
Example:
- task: VaultReadKV@4
condition: ne(variables['SM_VAULT_PATH'], '')
inputs:
strUrl: '$(SM_VAULT_ADDR)'
ignoreCertificateChecks: false
useProxy: 'none'
strAuthType: 'userpass'
strUsername: '$(SM_VAULT_USR)'
strPassword: '$(SM_VAULT_PW)'
strKVEnginePath: '$(SM_VAULT_PATH)'
strSecretPath: '${{ parameters.vaultSecretPath }}'
kvVersion: '${{ parameters.vaultVersion }}'
strPrefixType: 'none'
replaceCR: true
strCRPrefix: "#{rn}#"
In another stage we have a script executing an ansible playbook, with roles accessing the vault by adding -extra-vars:
ansible-playbook \
--extra-vars "@ansible_extra_vars.json" \
--extra-vars "vault_user=${SM_VAULT_USR}" \
--extra-vars "vault_password=$(SM_VAULT_PW)" \
--limit "all" \
site.yml
I want to prefer using service connections now and removing the variable group. But now I´ll need the option to extract the informations from the service connection to get the connection details. This works for azure service connections, for example, as described here: https://james699631746.wordpress.com/2021/11/15/access-azure-service-connection-via-script/
In my point of view this would be a great feature of your extension and makes the pipeline more flexible and dynamic. To add an extra-var for each secret is not an option, because then we will lose all the dynamic.
Let me know about your thoughts.
Have a nice week.
Ok i will do this.
This will be done by the end of the week.
Awesome! I really appreciate that!
@docbyte86 ,
I've just release a new version 5.1.0 on the Azure DevOps marketplace.
This version resolve your issue.
Here a YAML pipeline definition example showing how to use output variables:
stages:
- stage: 'Stage_A'
jobs:
- job: 'Job_A1'
steps:
- task: VaultReadKV@5
displayName: 'Vault - Read KV secrets '
inputs:
strAuthType: serviceConnection
serviceConnectionName: 'vault-dev'
exportServiceConnectionSettings: true
ignoreCertificateChecks: true
strKVEnginePath: ALM
strPrefixType: folder
replaceCR: true
strCRPrefix: '#{rn}#'
- bash: |
echo "url '$(VaultReadKV.url)'"
echo "username '$(VaultReadKV.username)'"
echo "password '$(VaultReadKV.password)'"
displayName: 'Check variables'
- stage: 'Stage_B'
dependsOn: Stage_A
jobs:
- job: 'Job_B1'
variables:
vaultUrl: $[stageDependencies.Stage_A.Job_A1.outputs['VaultReadKV.url']]
vaultUsername: $[stageDependencies.Stage_A.Job_A1.outputs['VaultReadKV.username']]
vaultPassword: $[stageDependencies.Stage_A.Job_A1.outputs['VaultReadKV.password']]
steps:
- bash: |
echo "url '$(vaultUrl)'"
echo "username '$(vaultUsername)'"
echo "password '$(vaultPassword)'"
displayName: 'Check variables'
Regards
@docbyte86,
Is it possible for you to give me a feedback here about this feature for your use case ?
Thanks
I will, of course. I´ll try my best to test it by the mid of this week.
Sorry for the l8 reply. I didn´t forgot to test. This week i was able to perform the switch and i can confirm that we are able to get the credentials as described. many thanks for your efforts.
have a nice week
Hello,
i was thankful for the new feature to use a service connection. Many thanks for that!
I just want to make an enhancement request to get the service connection details to process them in further scripts/tasks. This is useful to provide the informations as extra variables for an ansible playbook, for example.
Here is a blog article how it is possible with the Azure Service Connections: https://james699631746.wordpress.com/2021/11/15/access-azure-service-connection-via-script/
Many thanks!