您的位置: 首页  >  技术问答  >  如何从Powershell中使用在构建管道上使用* .pfx证书进行下载安全文件任务

如何从Powershell中使用在构建管道上使用* .pfx证书进行下载安全文件任务

分类: 技术问答 2022-04-30 12:18:56
问题描述:

我遇到了这个问题: 我需要从构建管道上使用的Powershell脚本连接到Azure订阅,但是出于安全性要求,我无法在代码上写入用户名和密码,因此我拥有带有凭据的pfx证书. 现在,我正在使用名为dowload安全文件的任务,将证书放入构建中.然后,我试图从Powershell代码访问证书.

I got this problem: I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials. Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.

我已经在机器上测试了代码,但是当我尝试在构建管道上使用它时,我无法以此方式访问证书

I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this

我遇到这样的错误

登录中... D:\ a \ 1 \ s \ Scripts \ fileName.ps1:脚本不起作用:无法识别术语"cert.secureFilePath" 作为cmdlet,函数,脚本文件或可运行程序的名称.检查名称的拼写,或者路径是否为 包括在内,请验证路径正确无误,然后重试.

Logging in... D:\a\1\s\Scripts\fileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

$tenantId  = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH% 
$certThumbprint = $cert.Thumbprint

Write-Host "Logging in...";

Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint

构建管道上使用的任务

已下载的安全文件的完整路径存储在 $ env:DOWNLOADSECUREFILE_SECUREFILEPATH 环境变量中.有关下载安全文件"任务的更多信息,请参考此

The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.

我们可以使用以下代码获取certThumbprint

We could get the certThumbprint with following code

$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint

如果我们不想直接在代码中使用用户名和密码.我们可以使用

If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.

如果要加密并安全存储该值,请选择该行末尾的锁定"图标.添加完变量后,选择保存"

If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save

您可以使用与在管道本身中定义的变量完全相同的方法来访问链接的变量组中的变量的值.例如,要访问链接到管道的变量组中名为Customer的变量的值,请在任务参数或脚本中使用 $(customer).但是,秘密变量(加密变量和密钥保险库变量)不能直接在脚本中访问-而是必须将它们作为自变量传递给任务

You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task

如果我在库中添加了一个名为 sSecStrPassword 的变量.然后可以更改代码,如下所示:

If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:

function GetThumbprintPFX {
 param([string] $CertificatePath, [string]$Password)
 $certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
 $certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
 $thumbprint = $certificateObject.Thumbprint
 return $thumbprint  
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"

测试结果:

有关变量组的更多信息,请参考此安全要求.

For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.

更新:

以下是在Azure Devops管道中使用pfx文件的详细步骤.

The following is the detail steps to use the pfx file in the Azure Devops pipeline.

  1. 准备一个.pfx文件.
  2. 添加下载安全文件任务并上传pfx文件.

  1. 创建一个变量组并添加一个名为 sSecStrPassword
    2. 的变量
  1. create a variable group and add a variable named sSecStrPassword

  1. 将变量链接到内部版本

  1. 添加powershell脚本任务,并在其中添加以下脚本.

# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
 param([string] $CertificatePath, [string]$Password)
 $certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
 $certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
 $thumbprint = $certificateObject.Thumbprint
 return $thumbprint  
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"

  1. 排队构建并检查结果.

相关推荐