[英]Make Azure Keyvault secrets available in entire pipeline
In order to access my secret from the keyvault, I run为了从密钥库访问我的秘密,我运行
- task: AzureKeyVault@2
inputs:
azureSubscription: $(KEYVAULT_SC_DEV)
KeyVaultName: $(KEYVAULT_NAME_DEV)
SecretsFilter: APICREDENTIALS
RunAsPreJob: true
which works fine.效果很好。
However, I have multiple jobs and am now facing the trouble of having to repeat these lines too many times.但是,我有多项工作,现在面临着不得不多次重复这些台词的麻烦。
So, is there a way to tell Azure Devops that this secret should be set globally for each job/stage/step.. etc?那么,有没有办法告诉 Azure Devops 应该为每个作业/阶段/步骤等全局设置这个秘密?
If you want to make Azure Keyvault secrets available across multiple jobs or stages with AzureKeyVault@2
task, you can use outputs in a different stages.如果要使用
AzureKeyVault@2
任务使 Azure Keyvault 机密跨多个作业或阶段可用,则可以在不同阶段使用输出。
For example, I've set secret password
in my KeyVault.例如,我在我的 KeyVault 中设置了秘密
password
。
Across multiple jobs:跨多个工作:
variables:
# map the output variable from A into this job
password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]
Across multiple stage:跨多个阶段:
variables:
# map the output variable from A into this job
password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]
Across whole job:在整个工作中:
- task: AzureKeyVault@2
RunAsPreJob: true ## Make the secret(s) available to the whole job
Full yaml sample:完整的 yaml 示例:
trigger:
- none
pool:
vmImage: ubuntu-latest
stages:
- stage: One
jobs:
- job: A
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: ‘your subscription‘
KeyVaultName: ‘your keyvault name’
SecretsFilter: '*'
RunAsPreJob: true
- task: Bash@3
inputs:
targetType: 'inline'
script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true]$(password)"'
name : ouputvariable
- job: B
dependsOn : A
variables:
# map the output variable from A into this job
password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]
steps:
- script: echo this is password :$(password-job-b) # this step uses the mapped-in variable
- stage: Two
variables:
# map the output variable from A into this job
password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]
jobs:
- job: C
steps:
- script: echo this is password :$(password-stage-two) # this step uses the mapped-in variable
Result across multiple jobs:多个作业的结果:
Result across multiple stages:跨多个阶段的结果:
UPDATE更新
When issecret
is set to true, the value of the variable will be saved as secret.当
issecret
设置为 true 时,变量的值将被保存为 secret。
script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true;issecret=true]$(password)"'
If you want these secrets available to multiple pipelines one way would be to use the library variables如果您希望这些秘密可用于多个管道,一种方法是使用库变量
And reference these in your pipeline https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#use-a-variable-group并在您的管道中引用这些https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#use-a-variable-group
If you want these secrets available to multiple stages/jobs/steps within the same pipeline one way would be to create a pipeline variable如果您希望这些秘密可用于同一管道中的多个阶段/作业/步骤,一种方法是创建一个管道变量
variables:
secretValue: ''
jobs:
- job: RetrieveSecret
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: $(KEYVAULT_SC_DEV)
KeyVaultName: $(KEYVAULT_NAME_DEV)
SecretsFilter: APICREDENTIALS
OutputVariable: secretValue
Here the RetrieveSecret job retrieves the secret from the Key Vault and stores it in the secretValue pipeline variable.Once the secret has been stored in the pipeline variable, you can reference it from any job or task in your pipeline by using the $(pipelineVariableName) syntax.此处 RetrieveSecret 作业从 Key Vault 检索机密并将其存储在 secretValue 管道变量中。一旦机密存储在管道变量中,您就可以使用 $(pipelineVariableName) 从管道中的任何作业或任务中引用它句法。
The caveat here is that pipeline variables are scoped to a specific job, if you wanted to use the same variable across different jobs then you need to pass this value to the next job sort of like below这里需要注意的是,管道变量的范围仅限于特定的作业,如果你想在不同的作业中使用相同的变量,那么你需要将这个值传递给下一个作业,如下所示
jobs:
- job: Job1
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: $(KEYVAULT_SC_DEV)
KeyVaultName: $(KEYVAULT_NAME_DEV)
SecretsFilter: APICREDENTIALS
OutputVariable: secretValue
- job: Job2
inputs:
secretInput: $(secretValue)
steps:
- task: SomeTask
inputs:
secret: $(secretInput)
We can use " variable groups " to pass the values into a YAML pipeline, which we can make available across all.我们可以使用“变量组”将值传递到 YAML 管道中,我们可以使所有管道都可用。
Steps1: Store Key vault key values into Variable Groups how to use keyvault Steps1:将 Key vault 键值存储到变量组中如何使用keyvault
Step2: Use that Variable group into any pipelines Here is the reference: tutorial from Thomas Thornton第 2 步:将该变量组用于任何管道这是参考:Thomas Thornton 的教程
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.