堆栈内存溢出
  简体   繁体   English

Azure DevOps 管道

[英]Azure DevOps Pipelines

 原文  2018-11-21 15:50:19    10    amazon-web-services/ azure/ azure-devops/ pipeline/ devops

问题描述

我是 Azure DevOps 的新手,我正在尝试使用 Azure DevOps 创建一个管道,用于将我的 terraform 代码部署到 AWS 上,用于身份验证我知道我们可以使用服务原则,但这意味着我需要指定我的访问权限和我不想做的 azure DevOps 中的秘密密钥,所以我想检查是否还有其他方法可以做到这一点?

10 个解决方案

解决方案1
 4  2018-11-22 02:53:15

For accessing/storing these kinds of secrets you can try the Azure Key Vault要访问/存储这些类型的机密,您可以尝试Azure Key Vault

Store all your secrets in Azure Key Vault secrets.将所有机密存储在 Azure Key Vault 机密中。

When you want to access secrets:当您想访问机密时:

  • Ensure the Azure service connection has at least Get and List permissions on the vault.确保 Azure 服务连接至少对保管库具有获取和列出权限。 You can set these permissions in the Azure您可以在 Azure 中设置这些权限
    portal:门户网站:

    • Open the Settings blade for the vault, choose Access policies, then Add new.打开保管库的设置边栏选项卡,选择访问策略,然后添加新的。

    • In the Add access policy blade, choose Select principal and select the service principal for your client account.在添加访问策略边栏选项卡中,选择选择主体并为您的客户帐户选择服务主体。

    • In the Add access policy blade, choose Secret permissions and ensure that Get and List are checked (ticked).在添加访问策略边栏选项卡中,选择秘密权限并确保选中(勾选)获取和列出。

    • Choose OK to save the changes.选择确定以保存更改。

Reference 参考

解决方案2
 3  2019-06-05 08:32:05

You can use您可以使用

  1. Secure Azure DevOps Variables or Variable Groups保护 Azure DevOps 变量或变量组
  2. Azure Key Vault Azure 密钥保管库
  3. If you use a Service Principal, then you need a password / certificate as well to authenticate.如果您使用服务主体,那么您还需要密码/证书来进行身份验证。 Maybe you can also try to work with MSI (Managed Service Identity).也许您也可以尝试使用 MSI(托管服务标识)。 In that case, the AAD will take care of the secret storage.在这种情况下,AAD 将负责秘密存储。

解决方案3
 2  2020-12-21 13:15:46

If you don't want to store credentials on Azure Devops itself, best way is to store credentials in a credential store (Azure Key Vault) and access it through a service connection.如果不想在 Azure Devops 本身上存储凭据,最好的方法是将凭据存储在凭据存储 (Azure Key Vault) 中并通过服务连接访问它。 I assume that you are using YAML based pipelines.我假设您使用的是基于 YAML 的管道。 If so use the following steps to integrate your pipeline with the key vault,如果是这样,请使用以下步骤将您的管道与密钥保管库集成,

Prerequisites,先决条件,

  • Azure key vault is set up and keys are securely stored已设置 Azure 密钥保管库并安全存储密钥

Steps,脚步,

  1. In edit mode of the pipeline click on the kebab menu (three dots on upper right corner) and select Triggers在管道的编辑模式下,单击烤肉串菜单(右上角的三个点)并选择触发器
  2. On the opened menu click on the Variables tab and then Variable Groups在打开的菜单上单击变量选项卡,然后单击变量组
  3. Open Manage variable groups in a new tab在新选项卡中打开管理变量组
  4. Click on + Variable group button to add a new variable单击+ 变量组按钮添加新变量
  5. Give a name and a description.给出名称和描述。 Switch on the Link secrets from an Azure key vault as variables toggle.打开Azure Key Vault 中链接机密作为变量切换。
  6. Add a new service connection and once authenticated select the key vault name添加新的服务连接并通过身份验证后选择密钥保管库名称
  7. Now add variables in to the variable group现在将变量添加到变量组中
  8. Once done save the variable group and go back to the previous tab in step 2 and link the new variable group.完成后保存变量组并返回到步骤 2 中的上一个选项卡并链接新的变量组。
  9. Once done save the pipeline完成后保存管道

Important : You need to grant secret read permission to the service connection's service principal from your key vault.重要提示:您需要从 Key Vault 向服务连接的服务主体授予机密读取权限。 Reference: Link secrets from an Azure key vault参考: 来自 Azure Key Vault 的链接机密

解决方案4
 0  2018-11-21 17:13:34

Perhaps use the Azure Devops Libary > Variable Groups to securely store you keys.也许使用 Azure Devops 库 > 变量组来安全地存储您的密钥。

Alternatively you may be able to use the Project Settings> Service connection.或者,您可以使用“项目设置”>“服务”连接。 Perhaps using credentials connection or a generic on.也许使用凭据连接或通用连接。

解决方案5
 0  2018-11-21 18:17:45

Service principals is the industry standard for this case.服务主体是这种情况下的行业标准。 You should create a specific service principal for Azure DevOps and limit its scope to only what's necessary.你应该为 Azure DevOps 创建一个特定的服务主体,并将其范围限制在必要的范围内。

解决方案6
 0  2018-12-15 21:40:20

1- 您必须在您的 AWS 机器上为具有有限服务的 Devops 管道创建私钥 2- 将密钥存储在 Devops 管道的安全库中 3- 从您的 AWS 防火墙禁用来自未知 IP 地址的 SSH 连接,并加入白名单Devops 代理 IP 地址,要获取 ips 列表,请检查此链接https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=vsts&tabs=yaml#agent-ip-ranges

解决方案7
 0  2019-07-25 11:47:14

you can write variables into your powershell script file and can use powershell task into your pipeline.您可以将变量写入您的 powershell 脚本文件,并可以在您的管道中使用 powershell 任务。 Now give powershell file path into this task and just give variables names.现在为这个任务提供 powershell 文件路径,并只提供变量名称。 It will work like a charm.它会像魅力一样发挥作用。

解决方案8
 0  2020-07-17 09:20:24

对于服务原则连接,您需要有服务原则ID和服务原则密钥服务原则ID与应用程序ID相同服务原则密钥存在于证书和秘密中

解决方案9
 0  2020-10-05 09:05:08

You can use Azure Key Vault for storing all your keys and secrets.可以使用 Azure Key Vault 来存储所有密钥和机密。 Give permission to your Azure pipeline to fetch keys from Key Vault.授予 Azure 管道从 Key Vault 获取密钥的权限。

Following link will guide you from scratch to develop a pipeline and fetch keys:以下链接将指导您从头开始开发管道并获取密钥:

https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/ https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/

解决方案10
 0  2021-09-22 23:45:44

The only method to truly not store AWS credentials in Azure/Azure DevOps would be to make a hosted build pool inside your AWS account.真正不在 Azure/Azure DevOps 中存储 AWS 凭证的唯一方法是在您的 AWS 帐户中创建一个托管构建池。 These machines will have the azure DevOps agent installed and registered to your Organization and to a specific agent pool.这些机器将安装 Azure DevOps 代理并将其注册到您的组织和特定代理池。 Then add the needed permissions to the Iam instance profile attached to these build servers.然后将所需的权限添加到附加到这些构建服务器的 Iam 实例配置文件中。 When running your terraform commands using this agent pool, terraform will have access to the credentials on the instance.使用此代理池运行 terraform 命令时,terraform 将有权访问实例上的凭据。 The same concept works for a container based build pool in AWS ECS.相同的概念适用于 AWS ECS 中基于容器的构建池。

解决方案11
 -1  2019-10-06 04:37:53

Continuous integration and continuous delivery (CI/CD) are considered by most to be the backbone of DevOps. 持续集成和持续交付(CI / CD)被大多数人视为DevOps的骨干。 Things start to get really interesting when you combine these practices with programmable infrastructure and a suite of services that allow you to automate the entire lifecycle of an application. 当您将这些实践与可编程基础结构和一整套服务结合在一起,使您能够自动化应用程序的整个生命周期时,事情就会变得非常有趣。

The goal with this guide is to give you a practical example of what that all looks like when you're building, testing, and deploying applications with Azure DevOps Services. 本指南的目的是为您提供一个实际示例,说明使用Azure DevOps Services构建,测试和部署应用程序时的外观。 I'll walk you through the end-to-end process of building a fully automated build and release pipeline for a Node and Express application. 我将引导您完成为Node and Express应用程序构建全自动构建和发布管道的端到端过程。 We'll use Azure DevOps Services to create the CI/CD pipeline and Azure App Service for deploying to development/staging and production. 我们将使用Azure DevOps Services创建CI / CD管道,并使用Azure App Service部署到开发/登台和生产。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 azure 管道中部署 Elastic beanstalk - How to deploy Elastic beanstalk in azure pipelines 在 Azure DevOps 中异步运行脚本 - Running scripts asynchronously in Azure DevOps 结合 Azure Devops 和 AWS AutoScaling - Combining Azure Devops and AWS AutoScaling 如何从Azure DevOps部署到AWS Kubernetes - How to deploy to AWS Kubernetes from Azure DevOps Azure Devops 服务和 VPN - 加密数据 - Azure Devops Services and VPN - encrypt the data 无法在 Azure Devops 管道中选择 Terraform 工作区 - Unable to select Terraform workspace in Azure Devops pipeline 将 Azure DevOps 管道详细信息发送到 SIEM - Send Azure DevOps Pipeline Details to SIEM Azure DevOps S3 React/MERN 堆栈 - Azure DevOps S3 React/MERN stack 是否有 TFS 的 REST API 在没有 Z3A580F1422036773F5B30898 的情况下运行? - Is there a REST API for TFS that functions without Azure DevOps? 使用 Azure Pipelines 部署 AWS CDK 堆栈时出错(在 CDK 中使用 python) - Error deploying AWS CDK stacks with Azure Pipelines (using python in CDK)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM