Enhancement request to get the service connection details using them for later tasks/scripts.

[docbyte86]

Hello,

i was thankful for the new feature to use a service connection. Many thanks for that!

I just want to make an enhancement request to get the service connection details to process them in further scripts/tasks. This is useful to provide the informations as extra variables for an ansible playbook, for example.

Here is a blog article how it is possible with the Azure Service Connections: https://james699631746.wordpress.com/2021/11/15/access-azure-service-connection-via-script/

Many thanks!

[Fizcko]

Hi @docbyte86 ,

Maybe I don't understand your use case but you just have to create a service connection then used it in the task.

You can use the Azure DevOps helper to get the yaml settings.

[docbyte86]

Hi @Fizcko ,

let me try to explain:

Currently we are storing the credentials in our variable group in the pipeline libraries and can use them for accessing the vault via azure pipeline templates by using $(VARIABLE)

Example:

  - task: VaultReadKV@4
    condition: ne(variables['SM_VAULT_PATH'], '')
    inputs:
      strUrl: '$(SM_VAULT_ADDR)'
      ignoreCertificateChecks: false
      useProxy: 'none'
      strAuthType: 'userpass'
      strUsername: '$(SM_VAULT_USR)'
      strPassword: '$(SM_VAULT_PW)'
      strKVEnginePath: '$(SM_VAULT_PATH)'
      strSecretPath: '${{ parameters.vaultSecretPath }}'
      kvVersion: '${{ parameters.vaultVersion }}'
      strPrefixType: 'none'
      replaceCR: true
      strCRPrefix: "#{rn}#"

In another stage we have a script executing an ansible playbook, with roles accessing the vault by adding -extra-vars:

          ansible-playbook \
            --extra-vars "@ansible_extra_vars.json" \
            --extra-vars "vault_user=${SM_VAULT_USR}" \
            --extra-vars "vault_password=$(SM_VAULT_PW)" \
            --limit "all" \
            site.yml

I want to prefer using service connections now and removing the variable group. But now I´ll need the option to extract the informations from the service connection to get the connection details. This works for azure service connections, for example, as described here: https://james699631746.wordpress.com/2021/11/15/access-azure-service-connection-via-script/

In my point of view this would be a great feature of your extension and makes the pipeline more flexible and dynamic. To add an extra-var for each secret is not an option, because then we will lose all the dynamic.

Let me know about your thoughts.

Have a nice week.

[Fizcko]

Ok i will do this.

This will be done by the end of the week.

[docbyte86]

Awesome! I really appreciate that!

[Fizcko]

@docbyte86 ,

I've just release a new version 5.1.0 on the Azure DevOps marketplace.

This version resolve your issue.

Here a YAML pipeline definition example showing how to use output variables:

stages:
- stage: 'Stage_A'
  jobs:
    - job: 'Job_A1'
      steps:
        - task: VaultReadKV@5
          displayName: 'Vault - Read KV secrets '
          inputs:
            strAuthType: serviceConnection
            serviceConnectionName: 'vault-dev'
            exportServiceConnectionSettings: true
            ignoreCertificateChecks: true
            strKVEnginePath: ALM
            strPrefixType: folder
            replaceCR: true
            strCRPrefix: '#{rn}#'
        - bash: |
            echo "url '$(VaultReadKV.url)'"
            echo "username '$(VaultReadKV.username)'"
            echo "password '$(VaultReadKV.password)'"
          displayName: 'Check variables'
- stage: 'Stage_B'
  dependsOn: Stage_A
  jobs:
    - job: 'Job_B1'
      variables:
        vaultUrl: $[stageDependencies.Stage_A.Job_A1.outputs['VaultReadKV.url']]
        vaultUsername: $[stageDependencies.Stage_A.Job_A1.outputs['VaultReadKV.username']]
        vaultPassword: $[stageDependencies.Stage_A.Job_A1.outputs['VaultReadKV.password']]
      steps:
        - bash: |
            echo "url '$(vaultUrl)'"
            echo "username '$(vaultUsername)'"
            echo "password '$(vaultPassword)'"
          displayName: 'Check variables'

Regards

[Fizcko]

@docbyte86,

Is it possible for you to give me a feedback here about this feature for your use case ?

Thanks

[docbyte86]

I will, of course. I´ll try my best to test it by the mid of this week.

[docbyte86]

Sorry for the l8 reply. I didn´t forgot to test. This week i was able to perform the switch and i can confirm that we are able to get the credentials as described. many thanks for your efforts.

have a nice week