azurepowershellrestazure-devopsazure-pipelines

Unable to update the variable group data using Azure rest service

I am trying to update the variable group's variables from yml file using script as you have done here, but for authentication I am using PAT. When running the pipeline it's showing something like this.

Here is what I have tried :

$authHeader = @{Authorization = "Bearer $(accessToken)"}

  $body = @{
    description = "Build number"
    name = "BUILD_NUMBER_GROUP"
    type = "Vsts"
    variables = @{
      Major = @{
        isSecret = "false"
        isReadOnly = "false"
        value = "100" 
      }
    }
  }| ConvertTo-Json

  $response = Invoke-RestMethod -Uri "https://dev.azure.com/{OrganizationName}/{ProjectName}/_apis/distributedtask/variablegroups/{variableGroupId}?api-version=5.1-preview.1" -Method Put -Body $body  -Headers $authHeader -ContentType "application/json"
Solution

  • If you are running the script in pipeline to update a variable group, it is suggested authenticating against the $(System.AccessToken) of the pipeline service account, which can avoid leakage and expiration of the PAT and remove Azure DevOps REST API throttling issues if you run a large number of pipelines.

    Here is a sample YAML pipeline with two pwsh scripts authenticating separately against Bearer $(System.AccessToken) and Basic plus the BASE64 encoded PAT for your reference.

    pool:
  vmImage: ubuntu-latest

variables:
  groupId: 38

steps:
- pwsh: |
    $URL = "$(System.CollectionUri)/$(System.TeamProjectId)/_apis/distributedtask/variablegroups/$(groupId)?api-version=5.0-preview.1"
    $headers = @{
        'Authorization' = 'Bearer ' + "$(System.AccessToken)"
        'Content-Type' = 'application/json'
    }
    $body = @{
      description = "Build number"
      name = "BUILD_NUMBER_GROUP"
      type = "Vsts"
      variables = @{
        Major = @{
          isSecret = "false"
          isReadOnly = "false"
          value = "100" 
        }
      }
    } | ConvertTo-Json
    $response = Invoke-RestMethod -Method Put -Uri $URL -Headers $headers -Body $body
    $response | ConvertTo-Json -Depth 100
  displayName: Authenticate against System.AccessToken of the pipeline service account to update variable group
- pwsh: |
    $B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$(PAT)"))
    $URL = "$(System.CollectionUri)/$(System.TeamProjectId)/_apis/distributedtask/variablegroups/$(groupId)?api-version=5.0-preview.1"
    $headers = @{
        'Authorization' = 'Basic ' + "$B64Pat"
        'Content-Type' = 'application/json'
    }
    $body = @{
      description = "Build number"
      name = "BUILD_NUMBER_GROUP"
      type = "Vsts"
      variables = @{
        Major = @{
          isSecret = "false"
          isReadOnly = "false"
          value = "100" 
        }
        Minor = @{
          isSecret = "false"
          isReadOnly = "false"
          value = "101" 
        }
      }
    } | ConvertTo-Json

    $response = Invoke-RestMethod -Method Put -Uri $URL -Headers $headers -Body $body
    $response | ConvertTo-Json -Depth 100
  displayName: Authenticate against BASE64 encoded PAT to update variable group