In today's article we are going to cover how to use a Storage Account Key in an Azure PowerShell Task in a Build Pipeline. The methods demonstrated in this article can also be used for several other IaaS and PaaS Offerings available in Azure.
NOTE: This article was tested and written for an Azure Build Pipeline using a Microsoft-hosted Agent running vs2017-win2016 and a separate Windows Host running Windows 10 with Azure CLI installed.
In this article:
Create a new Resource Group and Storage Account
Using the Storage Account Key in a Build Pipeline Variable
Conclusion
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
On your Windows Host (with Azure CLI installed), open up a PowerShell prompt and run the following command to create a new Resource Group.
az group create `
--name encrypted-variables `
--location westeuropeYou should get back the following output:
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/encrypted-variables",
"location": "westeurope",
"managedBy": null,
"name": "encrypted-variables",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}Next, run the following command randomly generate 4 alphanumeric characters.
$RandomAlpha = (New-Guid).ToString().Substring("0","4")NOTE: We are appending this to the name of our Storage Account to ensure we create a unique Storage Account name.
Run the following command to create a new Storage Account.
$NewStorageAccount = az storage account create `
--name "encryptvardemo$RandomAlpha" `
--resource-group encrypted-variablesYou should get back the following output:
The default kind for created storage account will change to 'StorageV2' from 'Storage' in future
- Running ..Run the following command to verify that the Storage Account was provisioned successfully.
($NewStorageAccount | ConvertFrom-Json).provisioningStateYou should get back the following output:
"Succeeded"Next, run the following command to retrieve the Primary Key for your new Storage Account.
az storage account keys list `
--account-name "encryptvardemo$RandomAlpha" `
--query [0].value `
--output tsvYou should get back the Primary Key of your new Storage Account which should look similar to the one below:
lB7TsIMia9dCqFBI1ICC0u5JHQeZO87fBpy5adfy9x/kb80k9vJ0wSObbGLfxBXnVpmJZDZ3T8S62o7y5gualA==Next, in an Azure DevOps Pipeline, click on the Variables tab and copy the Storage Account Key into a a new variable called primaryStorageAccountKey.
Next, change the Storage Account Key value by pressing the Lock Icon on the far right side of the primaryStorageAccountKey variable.
The Storage Account Key should now be secured and displayed only as a set of asterisks.
Next, on the Tasks section in the Build Pipeline, create an Azure PowerShell Task called retrieve-encrypted-variables and paste in the following code below as an Inline script. After your task looks like what is shown below, click on Save & queue to run the Build.
# Retrieving and using a Storage Account Key from Build Pipeline Variables.
Write-Output "Primary Storage Account Key: $(primaryStorageAccountKey)"NOTE: If the Azure PowerShell Task is asking you for an Azure PowerShell Version to use, just choose the Latest installed version option.
When the Build finishes, you should see the Storage Account Key displayed in all asterisks.
Although the job displays the Storage Account Key in asterisks, the value can still be used in your script where required.
In today's article we covered how to use and store a Storage Account Key as a variable in an Azure PowerShell Task in a Build Pipeline. If there's a specific scenario that you wish to be covered in future articles, please create a New Issue in the starkfell/100DaysOfIaC GitHub repository.