为了从 keystore 访问我的 secret ,我运行
- task: AzureKeyVault@2
inputs:
azureSubscription: $(KEYVAULT_SC_DEV)
KeyVaultName: $(KEYVAULT_NAME_DEV)
SecretsFilter: APICREDENTIALS
RunAsPreJob: true
效果很好。
但是,我有多个工作,现在面临着不得不重复这些台词太多次的麻烦。
那么,有没有办法告诉 Azure Devops 这个 secret 应该为每个作业/阶段/步骤等全局设置?
最佳答案
如果您希望通过 AzureKeyVault@2
任务使 Azure Keyvault secret 在多个作业或阶段中可用,则可以在不同阶段中使用输出。
例如,我在 KeyVault 中设置了 secret 密码
。
跨多个工作:
variables:
# map the output variable from A into this job
password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]
跨多个阶段:
variables:
# map the output variable from A into this job
password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]
整个工作:
- task: AzureKeyVault@2
RunAsPreJob: true ## Make the secret(s) available to the whole job
完整的 yaml 示例:
trigger:
- none
pool:
vmImage: ubuntu-latest
stages:
- stage: One
jobs:
- job: A
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: ‘your subscription‘
KeyVaultName: ‘your keyvault name’
SecretsFilter: '*'
RunAsPreJob: true
- task: Bash@3
inputs:
targetType: 'inline'
script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true]$(password)"'
name : ouputvariable
- job: B
dependsOn : A
variables:
# map the output variable from A into this job
password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]
steps:
- script: echo this is password :$(password-job-b) # this step uses the mapped-in variable
- stage: Two
variables:
# map the output variable from A into this job
password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]
jobs:
- job: C
steps:
- script: echo this is password :$(password-stage-two) # this step uses the mapped-in variable
更新
当issecret
设置为true时,变量的值将被保存为secret。
script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true;issecret=true]$(password)"'
关于azure - 使 Azure Keyvault secret 在整个管道中可用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74856953/