[英]Add/get secret to Azure Keyvault with Azure powershell task in Azure devops
I am trying to set the secrets inside my Azure Keyvault using the Azure Powershell Task in Azure DevOps. I am trying to set the secrets inside my Azure Keyvault using the Azure Powershell Task in Azure DevOps. I use the following code:
我使用以下代码:
Set-AzureKeyVaultSecret -VaultName $KeyvaultName -Name $SecretName -SecretValue $secretvalue
With the names and the value all setup inside variables and tried to use this without also variables.将名称和值全部设置在变量中,并尝试在没有变量的情况下使用它。 The value is saved as a secure string with the following code.
该值使用以下代码保存为安全字符串。
ConvertTo-SecureString
But when I run this powershell code inside my Azure DevOps Release pipeline I keep getting following Error message:但是当我在我的 Azure DevOps Release 管道中运行这个 powershell 代码时,我不断收到以下错误消息:
Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'. Please ensure that you have provided the appropriate access tokens when using access token login.
So I've made sure that the service principal and the build server are having the right access on the keyvault by adding them both to the access policies with the get,list,set secrets permission.因此,我通过将服务主体和构建服务器都添加到具有 get、list、set secrets 权限的访问策略中来确保服务主体和构建服务器对 keyvault 具有正确的访问权限。
I've also added following lines of code to make sure that the profile is loaded correctly我还添加了以下代码行以确保正确加载配置文件
########################################################################################
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azureRmProfile)
$context = Get-AzureRmContext
$AzureToken = $profileClient.AcquireAccessToken($context.Tenant.Id)
Add-AzureRmAccount -AccessToken $AzureToken.AccessToken -AccountId $AzureToken.UserId
########################################################################################
By adding this code in the beginning of the inline script and using the profile with the commando as variable to the -DefaultProfile.通过在内联脚本的开头添加此代码并使用带有 commando 的配置文件作为 -DefaultProfile 的变量。
I also enabled the option to enable the script to access the Oauth token.我还启用了使脚本能够访问 Oauth 令牌的选项。
Is there someone who also tried to set the secret from the powershell task in Azure DevOps.是否有人也试图从 Azure DevOps 中的 powershell 任务中设置秘密。 Or know why the powershell script can't get access on the keyvault.
或者知道为什么 powershell 脚本无法访问密钥库。 The azurermContext commando provided me with the right output, even tried the Get-AzureRmKeyvault command to figure out if the connection to the environment was already setup right.
azurermContext 突击队为我提供了正确的 output,甚至尝试了 Get-AzureRmKeyvault 命令来确定与环境的连接是否已正确设置。 And that also didn't gave any problems.
这也没有带来任何问题。
below working for sure (using this reguarly)下面肯定工作(经常使用这个)
Set-AzContext -SubscriptionId $SubscriptionId
## $SubscriptionId is a subscription ID where is the target KV
$Secretvalue = ConvertTo-SecureString $SecretValuePlainText -AsPlainText -Force
## $SecretValuePlainText is the secret to store
Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $SecretName -SecretValue $Secretvalue -ErrorVariable setSecretError -Expires $ExpirationDate -NotBefore $ActivationDate
## $SecretName, $ExpirationDate, $ActivationDate - obvious :)
of course if your refer to variable not from script or inline, but from release the use $(variable_name)当然,如果您不是从脚本或内联引用变量,而是从发布使用 $(variable_name)
Service Principal/Service Connection we use for this is temporary an Owner of target subscription (or key vault, up to you).我们为此使用的服务主体/服务连接是目标订阅(或密钥保管库,由您决定)的临时所有者。
I had the exact same issue.我有完全相同的问题。 Found that the problem was a missing access token.
发现问题是缺少访问令牌。
Namely -KeyVaultAccessToken
when you call Add-AzureRmAccount
.即调用
Add-AzureRmAccount
-KeyVaultAccessToken
Found the solution here: https://github.com/Azure/azure-powershell/issues/4818#issuecomment-376155173在这里找到解决方案: https://github.com/Azure/azure-powershell/issues/4818#issuecomment-376155173
I fixed my question with the following.我用以下方法解决了我的问题。
I used a service connection that was based on a managed identity.我使用了基于托管标识的服务连接。 And this needed some workaround to access the key vault like @john mentioned.
这需要一些解决方法来访问像@john 提到的密钥库。 But this was unnecessary.
但这是不必要的。 by creating a new service connection based on a service principal.
通过基于服务主体创建新的服务连接。 This workaround was not necessary and fixed the issue.
此解决方法不是必需的,并解决了该问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.