I am building a project server solution with azure devops.
In my release pipeline I have multiple powershell scripts that requre user credentials as parameters. The password is saved in a secret variable in DevOps and contains a single quote.
Password: abcd'efgh
This leads to the pipeline throwing an error: "The string is missing the terminator: '."
When I hard code the password into the pipeline with double quotes the script executes perfectly.
Argument: -password "abcd'efgh"
When I put the DevOps secret variable in double quotes the script executes, but gives me an error when trying to authenticate at the server, possible because the password that is passed is "***".
Argument: -password "$(passwordVariable)"
Here is the relevant part of the script that is being executed by the pipeline. Any help is greatly appreciated.
param(
$siteUrl,
$username,
$password
)
$encpassword = convertto-securestring -String $password -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Connect-PnPOnline -Url $siteUrl -Credentials $cred
How do I get the password into the script?
You can use the Azure Key Vault task to include secrets in your pipeline. This task allows the pipeline to connect to your Azure Key Vault and retrieve secrets to use as pipeline variables. In the pipeline editor, select Show assistant to expand the assistant panel. Search for vault and select the Azure Key Vault task.
GitHub Action to trigger a run in Azure pipelinesWith this action, you could trigger an Azure pipeline run right from inside an Action workflow. The definition of this Github Action is in action. yml.
The problem you are facing is that $(passwordVariable)
variable reference is expanded in the script body, before it is executed by Powershell. This means that Powershell sees the variable value and interprets special characters in it.
You could prepend all the special characters with Powershell escape char (`
), but that's not very elegant.
A safer way of accessing variables in scripts is via env variables - each variable you set in your pipeline creates an environment variable (The name is upper-cased, and the .
is replaced with the _
).
For a regular (non-encrypted) variable, you would have:
Do-Something -password "$($env:PASSWORDVARIABLE)"
For secret (encrypted) variables, you have to explicitly map them to script's env variables. In a classic pipeline, use Environment
section. In yaml, it would look like this:
- pwsh: |
Do-Something -Password $($env:MAPPED_PASSWORD)
env:
MAPPED_PASSWORD: $(passwordVariable)
One caveat: don't prefix mapped variables with SECRET_
- it won't work, because this prefix is used by DevOps internally.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With