问题
I got this problem: I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials. Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.
I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this
and i got an error like this
Logging in... D:\a\1\s\Scripts\fileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
$tenantId = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%
$certThumbprint = $cert.Thumbprint
Write-Host "Logging in...";
Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint
Tasks used on the build pipeline
回答1:
The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.
We could get the certThumbprint with following code
$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.
If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save
You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task
If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:
function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}
$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"
Test Result:
For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.
Update:
The following is the detail steps to use the pfx file in the Azure Devops pipeline.
- prepare a .pfx file.
- Add a download secure file task and upload the pfx file.
- create a variable group and add a variable named sSecStrPassword
- link the variable to the build
- Add powershell script task and add the following script in it.
# Write your powershell commands here.
Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH
function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}
$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"
- queue the build and check the result.
来源:https://stackoverflow.com/questions/54009357/how-to-use-from-a-powershell-a-pfx-certificate-used-on-build-pipeline-with-the