Custom TFS Task - Execute Powershell Script with specific credentials

0
votes

I wrote a powershell script for a custom TFS task (Build and Release Task). Now I need to execute some command with specific credentials. For this I create the following statement:

Start-Process powershell -Credential $mycred -Wait -ArgumentList "-file $taskDir\task.ps1" -RedirectStandardOutput C:\Temp\taskOutput.log

If I execute the command in the powershell, everything works correctly. But as soon as the command will be executed from the TFS service, it doesn't work. If I remove the -Credential $mycred parameter, the command also works in context of the TFS execution.

I guess that the problem is, that with the -Credential $mycred a new window was opened. And so it doesn't work within the TFS execution.

Anyone knows a better solution to execute a powershell script with specific credential?

Thanks!!

UPDDATE 1:

For better understanding I upload the full custom task here

2
powershelltfstfsbuild
What TFS version are you using? - tukan
In general I would recommend using a solution already created - github.com/huserben/TfsExtensions/tree/master/BuildTasks. If you want to have custom BuildTasks you can extend the github one. - tukan
When the build task is executed, it's using TFS build service account? Did you mean you want to run the task with another credential in the build pipeline? - PatrickLu-MSFT
I use TFS 2015 - but in my opinion the link is not relevant for my problem. @Patrick-MSFT Exactly, I need to execute the powerschell script with another user, because the task run an EntityFramework migration with integrated security. I upload the full task, as you can see in the question. Could you understand my problem? - Martin Schagerl

2 Answers

1
votes

Using Invoke-Command instead. A related thread: Start-Job with credential in custom task problems.

$mypwd = ConvertTo-SecureString -String "[password, could use variable]" -Force -AsPlainText
$Cred = New-Object System.Management.Automation.PSCredential('[user name]',$mypwd)
$scriptToExecute = 
{
$VerbosePreference='Continue'
Write-Output "$env:UserName"
# Write-Verbose "Verbose" 4>&1
}
$b = Invoke-Command -ComputerName localhost -ScriptBlock $scriptToExecute -Credential $Cre
0
votes

When you queue the build, all build tasks should run under your build service account such as NetworkService. If you run the script a PS window pops up and closes instantly again. It's not able to directly run the script as a different user.

TFS Builds allow you to access PAT token via a settings in build definition. These are on the fly generated PAT tokens, so you won't need to store any secret anywhere.

For running the script at a developer's machine, you can ask a developer to enter PAT or have an if else logic where you can ask him for username password.

More details please refer this link: https://docs.microsoft.com/en-us/vsts/build-release/actions/scripts/powershell#use-the-oauth-token-to-access-the-rest-api

You could also take a look at this similar question: Powershell / VSTS Build - Store Credentials Independent/ Agnostic of User Running Script