LetsDevOps: Connect to Azure using Encrypted Password/Secret using Azure DevOps Pipeline

This blog will help to setup and use of the encrypted password in Azure DevOps Pipeline to connect to Azure. This technique can be also customize as per your requirement.


Action List


Note: This is applicable for self hosted Agent and If you want to learn how to configure self hosted agent please follow below article.


https://www.letsdevops.net/post/azure-devops-configure-self-hosted-agent-on-the-azure-devops

  1. Encrypt the Password/Secret using the Pipeline [Self Hosted Agent]

  2. Save the encrypted Public Key [Which can only be decrypted by Agent]

  3. Encryption will use the Self signed Certificate.

  4. Decrypt the Key and connect to Azure


Encryption

First we need to encrypt the password/secret using the Azure DevOps Pipeline which is using self hosted Agent. Hence the password/secret will be encrypted using the agent and the agent service account.


Step: 1

Create a test pipeline to encrypt the password and make sure the self hosted agent is configured with the Pipeline. Download the build yaml file from below link.


Download the build yaml file for creating the encryption Pipeline.


Step: 2

Check in the downloaded yaml file into you Azure DevOps Repos.





Step: 3

Create one yaml Pipeline with checked in "azure-pipelines.yml".












Step: 4

Once the Pipeline created. Make sure to update the Pool setting under the Azure-pipelines.yml with your self-hosted- agent pool name.


In my case it is : custom-agent.


code snipped from Azure-pipelines.yml

parameters:

- name: User
 displayName: 'UserID like: letsdevops@info.net'
 type: string

- name: Password
 displayName: 'Password'
 type: string

- name: SelfSignCertificateName
 displayName: 'SelfSignCertificateName'
 type: string

trigger: none

pool:
 custom-agent

Step: 5.

Once the pool information updated from step 4. Run the Pipeline with below Parameter.


  • UserID [User Details to connect to Azure]

  • Password [User Password for Encryption]

  • Self Signed Certificate Name [Certificate Name will be created during the execution]


Step 6:

On successful execution the Encrypted Password will be stored on the Agent Machine.

C:\CredentialEncryption\credentials.txt.


Now this encrypted password can be used further in the Pipeline execution or for your Automation work.





Step 7:

You can keep this pipeline for any Password/Secret Encryption and only Agent will be able to decrypt it since it has the Private Key.


if you want to learn more about this encryption method. You can follow below Link.

https://www.letsdevops.net/post/powershell-encrypt-and-decrypt-data-by-using-certificates-public-key-private-key


Connect to Azure

Since we have encrypted the Password now we can use this encrypted password to connect to Azure.


Steps:

  • The encrypted password is stored at C:\CredentialEncryption\credentials.txt. you can keep this file at any relevant location but now i will use from the same location.

  • You can use below PowerShell snipped to Connect to Azure.

Note: Since the password is encrypted by configured Self Hosted Agent make sure the Below script is used to run on the same agent so that it will be able to decrypt the password.




#Decrypt the credential first and connect to Azure     

$creds = Import-Csv -Path "C:\CredentialEncryption\credentials.txt"

$userName = $creds.UserName      

$securePassword = $creds.Password | Unprotect-CmsMessage | ConvertTo-SecureString      

#Creating credential object 
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName, $securePassword      

Connect-AzAccount -Credential $credential | Out-Null