Powershell/VSTS Build - 存储凭据独立/用户运行脚本不可知 [英] Powershell / VSTS Build - Store Credentials Independent/ Agnostic of User Running Script
问题描述
我正在尝试为构建创建一个脚本,用于检出文件、编辑文件并重新检入.
I'm trying to create a script for a build that checks out a file, edits it and checks it back in.
我希望它在作为开发人员或构建代理运行时能够正常工作.
I want it to work when running as a developer, or as a build agent.
我有一个类似于 this 的解决方案,其中密码存储在文件中并为构建检索.
I have a solution similar to this, whereby the password is stored in a file and retrieved for the build.
即
文件创建:
read-host -prompt Password -assecurestring | convertfrom-securestring | out-file .ps-password.pwd -ErrorAction Stop
文件使用:
# *VSTS Login*
$Username = $tfsUserName
$Password = Get-Content $tfsUserPasswordPath | ConvertTo-SecureString
$creds = New-Object -typename System.Management.Automation.PSCredential -ArgumentList $Username,$Password
$tfsServer = New-Object System.Uri("https://myaccount.visualstudio.com")
$tfsCollection = New-Object Microsoft.TeamFoundation.Client.TfsTeamProjectCollection($tfsServer,$creds)
$tfsCollection.Authenticate()
"***************** Authenticated *****************"
" *VSTS Check Out file* from $fileToUpdate"
Add-TfsPendingChange -Edit -Item $fileToUpdate -Verbose -ErrorAction Stop -wa 0
# read the file, update the number and save it back
$stuff = Get-Content $fileToUpdate
# modify stuff
Set-Content -Value $stuff -Path $fileToUpdate
# *VSTS Check In* Check in the file after changes.
" *VSTS Check In"
New-TfsChangeset -Item $fileToUpdate -Verbose -Comment "***NO_CI***" -Override true -ErrorAction Stop
SecureStrings 基于机器/用户帐户,因此当我从 Powershell ISE 作为我的帐户运行时,构建工作正常,但从构建服务器触发时则不行(它现在作为 NetworkService 运行).
SecureStrings are based on the machine/users account, so the build works fine when I run from Powershell ISE as my account, but not when triggered from the build server (it runs as NetworkService for now).
我尝试按照这篇文章创建密码文件作为网络服务"以及尝试 key 用于安全字符串,但在我的用户和网络服务下都无法使用任何东西.
I have tried following this post to create the password file as 'Network Service' as well as trying a key for the secure string, but can't get anything to work under both my user and Network Service.
如何简单地存储独立于运行脚本的用户工作的凭据?
How can I simply store credentials that will work idependently of the user running the script?
或者这只是错误的方法,我应该以某种方式使用 PAT?
Or is this just the wrong way to do it, and I should be using a PAT somehow?
推荐答案
构建允许您通过构建定义中的设置访问 PAT 令牌.这些是即时生成的 PAT 令牌,因此您无需在任何地方存储任何秘密.
Builds allow you to access PAT token via a settings in build definition. These are on the fly generated PAT tokens, so you won't need to store any secret anywhere.
要在开发人员的机器上运行脚本,您可以要求开发人员输入 PAT 或使用 if else 逻辑,您可以向他询问用户名密码.
For running the script at a developer's machine, you can ask a developer to enter PAT or have an if else logic where you can ask him for username password.
更多信息在
https://www.visualstudio.com/en-us/docs/build/scripts/#use-the-oauth-token-to-access-the-rest-api
更新(完整解决方案):
Update (full solution):
在您的构建中,您必须转到选项"并打开允许脚本访问 OAuth 令牌".
In your build, you must go to 'Options' and turn on 'Allow scripts to access OAuth token'.
您的最终脚本将如下所示.
Your final script will look something like the following.
Add-PSSnapin Microsoft.TeamFoundation.PowerShell
# This file requires the TFS Power Tools (2015+). When installing, you must select Custom Installation and select PowerShell Cmdlets
# *VSTS Login*
$url = "$($env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)$env:SYSTEM_TEAMPROJECTID/_apis/build/definitions/$($env:SYSTEM_DEFINITIONID)?api-version=2.0"
Write-Host "URL: $url"
$definition = Invoke-RestMethod -Uri $url -Headers @{
Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"
}
Write-Host "Definition = $($definition | ConvertTo-Json -Depth 100)"
"***************** Authenticated *****************"
" *VSTS Check Out file* from $fileToUpdate"
Add-TfsPendingChange -Edit -Item $fileToUpdate -Verbose -ErrorAction Stop -wa 0
# read the file, update the number and save it back
$stuff = Get-Content $fileToUpdate
# modify stuff - make sure you actually make a change!
Set-Content -Value $stuff -Path $fileToUpdate
# *VSTS Check In* Check in the file after changes.
" *VSTS Check In"
New-TfsChangeset -Item $fileToUpdate -Verbose -Comment "***NO_CI***" -Override true -ErrorAction Stop
这篇关于Powershell/VSTS Build - 存储凭据独立/用户运行脚本不可知的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
