Powershell/VSTS构建-存储凭据独立/与用户运行脚本无关 [英] Powershell / VSTS Build - Store Credentials Independent/ Agnostic of User Running Script
问题描述
我正在尝试为生成的脚本创建脚本,该脚本可以检出文件,对其进行编辑然后将其检入.
I'm trying to create a script for a build that checks out a file, edits it and checks it back in.
我希望它以开发人员或构建代理的身份运行.
I want it to work when running as a developer, or as a build agent.
我有一个类似于此的解决方案,其中密码存储在文件中并在构建时进行检索.
I have a solution similar to this, whereby the password is stored in a file and retrieved for the build.
即
文件创建:
read-host -prompt Password -assecurestring | convertfrom-securestring | out-file .\ps-password.pwd -ErrorAction Stop
文件使用:
# *VSTS Login*
$Username = $tfsUserName
$Password = Get-Content $tfsUserPasswordPath | ConvertTo-SecureString
$creds = New-Object -typename System.Management.Automation.PSCredential -ArgumentList $Username,$Password
$tfsServer = New-Object System.Uri("https://myaccount.visualstudio.com")
$tfsCollection = New-Object Microsoft.TeamFoundation.Client.TfsTeamProjectCollection($tfsServer,$creds)
$tfsCollection.Authenticate()
"***************** Authenticated *****************"
" *VSTS Check Out file* from $fileToUpdate"
Add-TfsPendingChange -Edit -Item $fileToUpdate -Verbose -ErrorAction Stop -wa 0
# read the file, update the number and save it back
$stuff = Get-Content $fileToUpdate
# modify stuff
Set-Content -Value $stuff -Path $fileToUpdate
# *VSTS Check In* Check in the file after changes.
" *VSTS Check In"
New-TfsChangeset -Item $fileToUpdate -Verbose -Comment "***NO_CI***" -Override true -ErrorAction Stop
SecureStrings基于机器/用户帐户,因此当我从Powershell ISE作为我的帐户运行时,该构建工作正常,但是当从构建服务器触发时,构建就无法正常工作(目前以NetworkService运行).
SecureStrings are based on the machine/users account, so the build works fine when I run from Powershell ISE as my account, but not when triggered from the build server (it runs as NetworkService for now).
我尝试按照这篇文章创建密码文件作为网络服务",并尝试使用密钥输入安全字符串,但在我的用户和网络服务下都无法正常工作.
I have tried following this post to create the password file as 'Network Service' as well as trying a key for the secure string, but can't get anything to work under both my user and Network Service.
如何简单地存储将独立于运行脚本的用户工作的凭据?
How can I simply store credentials that will work idependently of the user running the script?
还是这只是错误的方法,我应该以某种方式使用PAT?
Or is this just the wrong way to do it, and I should be using a PAT somehow?
推荐答案
内部版本允许您通过内部版本定义中的设置访问PAT令牌.这些是即时生成的PAT令牌,因此您无需在任何地方存储任何秘密.
Builds allow you to access PAT token via a settings in build definition. These are on the fly generated PAT tokens, so you won't need to store any secret anywhere.
要在开发人员的计算机上运行脚本,您可以要求开发人员输入PAT或使用其他逻辑(可以要求他提供用户名密码).
For running the script at a developer's machine, you can ask a developer to enter PAT or have an if else logic where you can ask him for username password.
更多信息,在
Update (full solution):
在构建中,您必须转到选项"并打开允许脚本访问OAuth令牌".
In your build, you must go to 'Options' and turn on 'Allow scripts to access OAuth token'.
您的最终脚本将类似于以下内容.
Your final script will look something like the following.
Add-PSSnapin Microsoft.TeamFoundation.PowerShell
# This file requires the TFS Power Tools (2015+). When installing, you must select Custom Installation and select PowerShell Cmdlets
# *VSTS Login*
$url = "$($env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)$env:SYSTEM_TEAMPROJECTID/_apis/build/definitions/$($env:SYSTEM_DEFINITIONID)?api-version=2.0"
Write-Host "URL: $url"
$definition = Invoke-RestMethod -Uri $url -Headers @{
Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"
}
Write-Host "Definition = $($definition | ConvertTo-Json -Depth 100)"
"***************** Authenticated *****************"
" *VSTS Check Out file* from $fileToUpdate"
Add-TfsPendingChange -Edit -Item $fileToUpdate -Verbose -ErrorAction Stop -wa 0
# read the file, update the number and save it back
$stuff = Get-Content $fileToUpdate
# modify stuff - make sure you actually make a change!
Set-Content -Value $stuff -Path $fileToUpdate
# *VSTS Check In* Check in the file after changes.
" *VSTS Check In"
New-TfsChangeset -Item $fileToUpdate -Verbose -Comment "***NO_CI***" -Override true -ErrorAction Stop
这篇关于Powershell/VSTS构建-存储凭据独立/与用户运行脚本无关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
