问题描述
我遇到了这个问题:我需要从构建管道上使用的Powershell脚本连接到Azure订阅,但是出于安全性要求,我无法在代码上写入用户名和密码,因此我拥有带有凭据的pfx证书.现在,我正在使用名为dowload安全文件的任务,将证书放入构建中.然后,我试图从Powershell代码访问证书.
I got this problem:I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials.Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.
我已经在机器上测试了代码,但是当我尝试在构建管道上使用它时,我无法以此方式访问证书
I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this
我遇到这样的错误
登录中...D:\ a \ 1 \ s \ Scripts \ fileName.ps1:脚本不起作用:无法识别术语"cert.secureFilePath"作为cmdlet,函数,脚本文件或可运行程序的名称.检查名称的拼写,或者路径是否为包括在内,请验证路径正确无误,然后重试.
Logging in...D:\a\1\s\Scripts\fileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognizedas the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path wasincluded, verify that the path is correct and try again.
$tenantId = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%
$certThumbprint = $cert.Thumbprint
Write-Host "Logging in...";
Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint
推荐答案
已下载的安全文件的完整路径存储在 $ env:DOWNLOADSECUREFILE_SECUREFILEPATH 环境变量中.有关下载安全文件"任务的更多信息,请参考此文档.
The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.
我们可以使用以下代码获取certThumbprint
We could get the certThumbprint with following code
$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
如果我们不想直接在代码中使用用户名和密码.我们可以使用 Azure管道库.我们可以在代码中引用它.
If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.
如果我在库中添加了一个名为 sSecStrPassword 的变量.然后可以更改代码,如下所示:
If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:
function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}
$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"
测试结果:
有关变量组的更多信息,请参考此链接. Azure Key Vault是安全要求.
For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.
更新:
以下是在Azure Devops管道中使用pfx文件的详细步骤.
The following is the detail steps to use the pfx file in the Azure Devops pipeline.
- 准备一个.pfx文件.
- 添加下载安全文件任务并上传pfx文件.
- 创建一个变量组并添加一个名为 sSecStrPassword 的变量
- create a variable group and add a variable named sSecStrPassword
- 将变量链接到内部版本
- 添加powershell脚本任务,并在其中添加以下脚本.
# Write your powershell commands here.
Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH
function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}
$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"
- 排队构建并检查结果.
这篇关于如何从Powershell中使用在构建管道上使用* .pfx证书进行下载安全文件任务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!