azureazure-devopsazure-pipelinesazure-cloud-services

Using single sas token for every pipeline agent to upload on blob storage

The problem is I don't want to create a new SAS token for every agent. I want to use the same sas token for a specific period on every agent of the pipeline

I already tried to create an SAS token without mentioning any IP and it failed to upload the file on blob storage.

The reason to have a universal sas key is that I don't want to use an access key or connection string to create an SAS token again and again

Solution

  • I want to use same sas token for a specific period on every agent of pipeline

    Based on your requirement, you can use a separate Pipeline to create SAS token. Then you can use the variable group to save the SAS Token.

    In this case, every pipeline can use the same SAS via using Variable Group in the Pipeline.

    Here are the steps:

    Step1: Create a variable group in Pipelines -> Library and add a variable with empty value.

    For example:

    enter image description here

    Step2: Use the following bash script to update the variable value in Variable Group. Use the Rest API: Variablegroups - Update

    #getting date and time in format
expiry_time=$(date -u -d '+30 minutes' +%Y-%m-%dT%H:%MZ)

#creating a sas token
sas_token=$(az storage container generate-sas --account-name <blobname> --name <containername> --permissions dlwr  --account-key $(key)  --expiry $expiry_time  --output tsv )

curl -X PUT \
-u  :$(pat) https://dev.azure.com/{Organizationname}/{Projectname}/_apis/distributedtask/variablegroups/{VariableGroupId}?api-version=5.0-preview.1 \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{ 
  
  "variables": {
    "SASToken": {
      "isSecret":true,
      "value": "$sas_token"
    }

  },
  "type": "Vsts",
  "name": "{VariableGroupName}",
  "description": "Updated variable group"
}'

    Step3: In other Pipelines, you can directly use the Variable in the Variable Group to upload the files.

    For example:

    variables:
- group: my-variable-group

    At the same time, you can set scheduled trigger for the Pipeline to regularly update the SASToken value in the variable group.