Reputation: 9504
How can Azure DevOps pipeline build and release logs be locked down to a specific group?
Background:
Our team has removed sensitive information from code and configuration files, instead placing values in Azure KeyVault with Azure DevOps variables collections associated. This effectively prevents users from seeing variables in code, and values in the variables collection, but it does not limit values being written to build/release logs.
Question:
What options are available for (1) excluding access to build/release logs and (2) restricting pipeline editing?
Correction: Values are written to the logs, but values coming from Key Vault are masked as *** values. This resolves our problem, but the overarching question remains.
Upvotes: 1
Views: 548
Answers (1)
Reputation: 35194
I am afraid that there is no such method could only exclude the access to build and release Logs.
Based on your requirements, you could try to restrict the following permission.
For Build Pipeline, you could limit the View builds and Edit build pipeline.
Then the user will have no access to see the Builds and Edit the Pipeline.
For Release Pipeline, you could limit the View releases and Edit release pipeline.
Upvotes: 1
Related Questions
- Cannot authorize variable group in Azure Pipelines
- Azure DevOps Release Pipelines permission
- Azure DevOps - permissions issue with deployment groups
- How do I restrict pipeline triggering
- how to restrict the access on build.yml file from developers in Azure DevOps repository
- Azure DevOps pipeline variable group cannot list Key Vault
- Azure DevOps Permissions on Pipeline Artifacts
- Manage permissions to run azure devops pipelines and permissions to change variable groups pragmatically
- Access rights for Azure DevOps Services pipeline
- How to restrict access to Pipelines in Azure DevOps