I am new to working with Azure DevOps, I am trying to create a pipeline using Azure DevOps for deploying my terraform code onto AWS, for authentication I am aware that we can use service principles but that will mean I will need to specify my acess and secret keys in azure DevOps which I do not want to do, so I wanted to check if there are any other ways of doing this?
9 Answers
For accessing/storing these kinds of secrets you can try the Azure Key Vault
Store all your secrets in Azure Key Vault secrets.
When you want to access secrets:
Ensure the Azure service connection has at least Get and List permissions on the vault. You can set these permissions in the Azure
portal:
Open the Settings blade for the vault, choose Access policies, then Add new.
In the Add access policy blade, choose Select principal and select the service principal for your client account.
In the Add access policy blade, choose Secret permissions and ensure that Get and List are checked (ticked).
Choose OK to save the changes.
If you don't want to store credentials on Azure Devops itself, best way is to store credentials in a credential store (Azure Key Vault) and access it through a service connection. I assume that you are using YAML based pipelines. If so use the following steps to integrate your pipeline with the key vault,
Prerequisites,
- Azure key vault is set up and keys are securely stored
Steps,
- In edit mode of the pipeline click on the kebab menu (three dots on upper right corner) and select Triggers
- On the opened menu click on the Variables tab and then Variable Groups
- Open Manage variable groups in a new tab
- Click on + Variable group button to add a new variable
- Give a name and a description. Switch on the Link secrets from an Azure key vault as variables toggle.
- Add a new service connection and once authenticated select the key vault name
- Now add variables in to the variable group
- Once done save the variable group and go back to the previous tab in step 2 and link the new variable group.
- Once done save the pipeline
Important: You need to grant secret read permission to the service connection's service principal from your key vault. Reference: Link secrets from an Azure key vault
1- You have to create a private key for Devops pipeline with limited services at your AWS machine 2- store the key in the Secure library of Devops Pipeline 3- from your AWS firewall disable the SSH connection from unknows IP addresses, and white-list Devops agents IP address, to get the list of the ips check this link https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=vsts&tabs=yaml#agent-ip-ranges