Create an automation credential from a yaml pipeline

Question

I am trying to create an automation credential from a YAML pipeline in Azure DevOps. I am using an AzurePowerShell@5 task to write (inline) the PowerShell script in the YAML file. And the username and password of the credential to be created are stored in a variable group in Azure DevOps.

In Microsoft documentation, the cmdlet New-AzAutomationCredential contains an example of how to use the cmdlet:

$User = "Contoso\PFuller"
$Password = ConvertTo-SecureString "Password" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $Password
New-AzAutomationCredential -AutomationAccountName "Contoso17" -Name "ContosoCredential" -Value $Credential -ResourceGroupName "ResourceGroup01"

But if I try to replace the plain text username and password with the two variables in the variable group, the deployment fails:

$User = $UserVariable
$Password = ConvertTo-SecureString $PasswordVariable -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $Password
New-AzAutomationCredential -AutomationAccountName "Contoso17" -Name "ContosoCredential" -Value $Credential -ResourceGroupName "ResourceGroup01"

Is it possible to use the pipeline variables to create a credential and execute the New-AzAutomationCredential cmdlet?

EDIT: Adding information on at what level I am setting up the variable group:

- stage: devstage
  displayName: 'Dev Environment Deployment'
  dependsOn: build
  condition: succeeded()
  variables: 
  - group: dev-vg

Answer 1

If they are in a variable, then you should reference them from the environment or pass them explicitly to the script as a parameter. Secrets aren't set in the environment, unless explicitly configured.

AzurePowerShell@v5
  - inputs:
    script: |
       $User = $env:username
       $Password = ConvertTo-SecureString $env:password -AsPlainText -Force
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $Password
       New-AzAutomationCredential -AutomationAccountName "Contoso17" -Name "ContosoCredential" -Value $Credential -ResourceGroupName "ResourceGroup01"
  - env:
    myuser: $(username)
    mypassword: $(password)

Alternatively, pass the variables straight into the script contents (warning, the script, including the secret will be written to disk this way):

AzurePowerShell@v5
  - inputs:
    script: |
       $User = $(username)
       $Password = ConvertTo-SecureString $(password) -AsPlainText -Force
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $Password
       New-AzAutomationCredential -AutomationAccountName "Contoso17" -Name "ContosoCredential" -Value $Credential -ResourceGroupName "ResourceGroup01"

In YAML pipelines, you can set variables at the root, stage, and job level. You can also specify variables outside of a YAML pipeline in the UI. When you set a variable in the UI, that variable can be encrypted and set as secret. Secret variables are not automatically decrypted in YAML pipelines and need to be passed to your YAML file with env: or a variable at the root level.