Azure Devops Release > Powershell task > Building a scheduled task

Question

I'm trying to build a Powershell function that will create a Windows Scheduled Task on my onPrem server as part of my Azure release pipeline, which will need to run with the "Run whether user is logged on or not", so I am passing it an AD Service account UserID & Password.

This works totally fine if I use a plain text password from a variable, but I would like to import the password from my Azure KeyVault. I'll call it "PasswordFromKeyVault".

I have added a new Variable Group, linked to the Keyvault and it retrieves the value correctly.

Here is the Powershell script I am using in this step:

$TaskName = "HelloNewTaskWorld"
$Trigger= New-ScheduledTaskTrigger -At 10:02am -Daily

$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\PowershellScripts\Somescript.ps1"

$principal = New-ScheduledTaskPrincipal -UserId $(PlainTextUserIdVariable) -LogonType ServiceAccount
$description = "Testing AzureDevOps ability to deploy a fully configured scheduled task"

#As expected, outputs xxx to the console
Write-Host $(PasswordFromKeyVault)


Register-ScheduledTask -TaskName $TaskName -Description $description -Trigger $Trigger -Action $Action -Principal $principal –Force
Set-ScheduledTask -TaskName $TaskName -User $principal.UserID -Password $(PasswordFromKeyVault)

But when it runs, I receive the error message "The user name or password is incorrect":

2022-04-11T16:18:23.0724016Z Set-ScheduledTask : The user name or password is incorrect.
2022-04-11T16:18:23.0724884Z At C:\vstsagent\XW14Agent1\_work\_temp\90f67b9e-e6f7-4f71-9be9-fe24498f535e.ps1:16 char:1
2022-04-11T16:18:23.0725477Z + Set-ScheduledTask -TaskName $TaskName -User $principal.UserID -Passwo ...
2022-04-11T16:18:23.0726111Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-04-11T16:18:23.0726638Z     + CategoryInfo          : AuthenticationError: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Set-Scheduled 
2022-04-11T16:18:23.0727110Z    Task], CimException
2022-04-11T16:18:23.0727497Z     + FullyQualifiedErrorId : HRESULT 0x8007052e,Set-ScheduledTask

I assume this is because the Azure Keyvault value is encrypted, and cannot be decrypted (which is exactly what I want), but does anyone know how I can create a credential using an already encrypted password?

Answer 1

Edit - 17/04/2022

---

The error: The user name or password is incorrect ,can be resolved by checking and placing the password retrieved in double quotes to get the actual vaule . i.e; like

"$(PasswordFromKeyVault)"

---

14/04/2022

1. Please make sure to set an access policy or policies in Azure Key Vault for the Azure DevOps project application principal /service account with List/Get permissions on Secrets and make sure the name of the KeyVault and azureSubscription are both correct. You can refer to this blog.

2. Configure the Environment Variables , see stack overflow Reference

   Secret variables are usually encrypted .So to pass a secret to a script, we can make use of the those Environment section of the
   scripting task’s input variables. If environment variables in
   pipeline are something like:

   Name :password | value :$(mypassword)

   Now, try with calling your variable with $env: password in your script.

Set-up PS Credentials

$Username = "$env:USERDOMAIN\local-admin"

NOTE: Key Vault name and Secret name should be retrieved via “normal” variables using inherited environment variable.
for example.

$Secret = (Get-AzKeyVaultSecret -VaultName "myKeyVaultName" -Name "kvTestSecret").SecretValueText
 Write-Host  "PowerShell Get-AzKeyVaultSecret: $Secret"

References:

• powershell - Not able to print the Azure-Keyvault secret in the release pipeline - Stack Overflow
• Managing Azure Key Vault access and secrets from DevOps pipeline (techgenix.com)

[string]$AdminPassword = Get-AzKeyVaultSecret -VaultName "***" -Name "***" -AsPlainText
//or$ AdminPassword=$env: password
[securestring]$SecureAdminPassword = $AdminPassword | convertto-securestring -AsPlainText -Force
//or $Password = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $SecurAdminPassword
//or $cred = New-Object System.Management.Automation.PSCredential($Username,$SecurAdminPassword)

//Then you can Set-up Scheduled Task parameters

Check this.

References:

1. Dynamicallly get KeyVault secret in Azure DevOps Powershell script - Stack Overflow
2. Azure Key Vault task - Azure Pipelines | Microsoft Docs
3. about Quoting Rules - PowerShell | Microsoft Docs