Reputation: 12868
What would be the best way to manage cloud credentials as part of an Azure DevOps build pipeline?
We are going to be creating build/deploy pipelines in Azure DevOps to provision infrastructure in Google Cloud Platform (GCP) using Terraform. In order to execute the Terraform provisioning script, we have to provide the GCP credentials so it can connect to our GCP account. I have a credential file (JSON) that can be referenced in the Terraform script. However, being new to build/deploy pipelines, I'm not clear on exactly what to do with the credential file. That is something we don't want to hard-code in the TF script and we don't want to make it generally available to just anybody that has access to the TF scripts. Where exactly would I put the credential file to secure it from prying eyes while making it available to the build pipeline? Would I put it on an actual build server?
Upvotes: 2
Views: 793
Answers (1)
Reputation: 72171
I'd probably use build variables or store variables in key vault and pull those at deployment time. storing secrets on the build agent is worse, because that means you are locked in to this build agent.
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch
Upvotes: 1
Related Questions
- Make Azure Keyvault secrets available in entire pipeline
- Use managed identities in Azure DevOps build pipeline
- Azure Pipelines agent credentials
- How to manage Google Cloud credentials for local development
- Azure DevOps Environment under useraccount with no password
- How to implement the equivalent of az login in azure pipeline
- How do you pass build server credentials to access an Azure DevOps repo?
- Passing Azure DevOps pipeline secrets in tasks
- Azure DevOps service accounts
- Powershell / VSTS Build - Store Credentials Independent/ Agnostic of User Running Script