我们有一个多阶段YAML管道,可对现有的一组Azure资源执行CI / CD
阶段是
我们在部署阶段使用AzureRmWebAppDeployment任务,并且对该任务使用AppSettings参数来指定特定于环境的设置。例如
- task: AzureRmWebAppDeployment@4
displayName: 'Deploy Azure App Service'
inputs:
azureSubscription: '$(azureSubscriptionEndpoint)'
appType: '$(webAppKind)'
WebAppName: 'EXISTING__AZURE_RESOURCENAME-DEV'
Package: '$(Pipeline.Workspace)/**/*.zip'
AppSettings: >
-AzureAd:CallbackPath /signin-oidc
-AzureAd:ClientId [GUID was here]
-AzureAd:Domain [domain was here]
-AzureAd:Instance https://login.microsoftonline.com/
-AzureAd:TenantId [Id was here]
-EmailServer:SMTPPassword SECRETPASSWORD
-EmailServer:SMTPUsername SECRETUSERNAME
我要从Azure KeyVault中提取该设置中的两个设置EmailServer: SMTPUsername和EmailServer: SMTPPassword。我知道如何使用语法从Azure Portal引用KV机密
@Microsoft.KeyVault(SecretUri=https://our.vault.azure.net/secrets/SendGridPassword/ReferenceGuidHere)
但是如何从YAML管道中引用值,以便在Azure中进行设置?
答案 0 :(得分:0)
托马斯在此评论中指出,Referencing Azure Key Vault secrets from CI/CD YAML
我可以像这样在YAML文件中显式设置值:
-EmailServer:SMTPPassword @Microsoft.KeyVault(SecretUri=https://our.vault.azure.net/secrets/SendGridPassword/ReferenceGuidHere)
答案 1 :(得分:0)
您需要将RunAsPreJob的AzureKeyVault @ 1任务设置为true,这将使密钥保管库值可用作CI / CD作业环境变量,因此您可以将其用作$(KEY-OF-SECRET-VALUE)工作的其余阶段。
以下yaml文件是一个有效的示例。 我们为python unittest设置了Azure密钥库提供的一组env变量
trigger:
batch: true # disable concurrent build for pipeline
branches:
include:
- '*' # CI start for all branches
pool:
vmImage: ubuntu-16.04
stages:
- stage: Test
jobs:
- job: sample_test_stage
steps:
- task: AzureKeyVault@1
inputs:
azureSubscription: 'YOUR SUBSCRIPTION HERE'
KeyVaultName: 'THE-KEY-VAULT-NAME'
SecretsFilter: '*'
RunAsPreJob: true
- task: UsePythonVersion@0
inputs:
versionSpec: '3.7'
- script : python -m unittest discover -v -s tests
displayName: 'Execute python unittest'
env: { MY-ENV-VAL-1: $(SECRET-VALUE-1), MY-ENV-VAL-2: $(SECRET-VALUE-2)}
请注意,有时您需要批准AzureDevops与另一个Azure服务(如KeyVault)之间的连接