6

I am building an Azure DevOps pipleline using Terraform. The pipeline creates a Linux server and then logs into the Linux server to update packages and install Apache.

I am currently storing the private key in my BitBucket repo (I know, this is not best practice), which are then pulled down onto the build agent server and then I login to the new server with the following command:

ssh -f -q -o BatchMode=yes -o StrictHostKeyChecking=no -i ../private_key.pem ubuntu@$ip sudo apt update -y

What is the best way to store and then retrieve the private key within Azure DevOps?

IHelpPeople
  • 415
  • 2
  • 5
  • 12

2 Answers2

6

Two options I can think of:

1) Create an ssh service connection in azure DevOps. Reference the service connection in your pipeline. https://medium.com/@sibeeshvenu/ssh-deployment-task-in-azure-pipelines-b0e2923bd7b4

2) Store the SSH key as an Azure Key Vault secret and then download the secret using the Azure CLI during the build.

az keyvault secret download --name mysshkey --vault-name mykeyvault --file ~/.ssh/id_rsa

Authenticate the Azure CLI using a service principal, and supply the credentials to the pipeline using a variable group.

tedsmitt
  • 716
  • 4
  • 8
6

I found that Azure DevOps provides you a feature to upload secret files are part of the build. You can see more information here:

https://learn.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops

IHelpPeople
  • 415
  • 2
  • 5
  • 12
  • 1
    Here's a more specific example for using an SSH private key in particular to log into GitHub: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/install-ssh-key?view=azure-devops – sschuberth Dec 16 '20 at 08:15