使用PowerShell变量检索Azure DevOps管道变量

huangapple go评论60阅读模式
英文:

Retrieve Azure DevOps pipeline variable using PowerShell variable

问题

我正在使用Azure DevOps发布流程,其中包括以下步骤:

  • 下载KeyVault机密
  • 使用正确的参数调用控制台应用程序

下载KeyVault机密正常运行,我可以通过$(Key1)来确认它们可用,其中Key1是存储在KeyVault机密中的实际密钥。

现在,我想循环遍历密钥列表(一个包含以逗号分隔的密钥的简单文本文件),并将它们附加到控制台应用程序的参数中,但我无法使用PowerShell变量检索Azure DevOps流程变量。

$keyVaultVariables 可能是 Key1,Key2,Key3,这对应于存储在KeyVault中的密钥,这意味着当我调用 $($kvVar) 时,应该获取密钥的值。但实际上,我只获得了密钥,而没有值。

$keyVaultList = $keyVaultVariables -split ','
$stringReplacementValues = ""

foreach ($kvVar in $keyVaultList)
{ 
    $val = $($kvVar)
    Write-Host $val
    $stringReplacementValues = $stringReplacementValues + "$kvVar|$val;"
}

Write-Host $stringReplacementValues 

我做错了什么?

英文:

I'm using Azure DevOps Release pipeline which has next steps:

  • Download KeyVault secrets
  • Invoke Console App with correct parameters

Downloading of KeyVault secrets works fine and I can confirm that they are available by using $(Key1) where Key1 is actual key stored in KeyVault secrets.

Now, what I want is to loop against list of the secrets (simple text file with keys separated by comma) and append them to a console app parameter, but I fail to retrieve Azure DevOps pipeline variable with PowerShell variable.

$keyVaultVariables can be Key1,Key2,Key3 which corresponds to the keys stored in KeyVault, meaning that when I'm calling $($kvVar) is should get value of the secret with the key. What I get is just key, but no value.

$keyVaultList = $keyVaultVariables -split ','
$stringReplacementValues = ""

foreach($kvVar in $keyVaultList)
{ 
    $val = $($kvVar)
    Write-Host $val
    $stringReplacementValues = $stringReplacementValues + "$kvVar|$val;" 
}

Write-Host $stringReplacementValues 

What am I doing wrong?

答案1

得分: 1

你想要的方式无法实现。这是一项安全功能。

只有通过自定义任务的任务 SDK 才能迭代访问密钥。任何脚本或现有任务如果没有这个功能,都需要通过输入、环境变量或直接在脚本中内联这些值来传递这些值。这是一项安全功能,以防止恶意的 npm 包从流水线中提取所有密钥。

如果你将你的功能移到自定义任务中,它就可以访问这些密钥。

英文:

What you want cannot be done this way. It's a security feature.

Secrets can only be iterated through the task-sdk from a custom task. Any script or existing task that doesn't have this functionality needs to have these values passed in through an input or the environment or through inlining the value in the script directly. This is a security feature to prevent say a roque npm package from extracting all of the secrets from a pipeline.

If you move your functionality into a custom task, it could access the secrets.

huangapple
  • 本文由 发表于 2023年2月9日 00:25:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/75388799.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定