0

In an on-prem/self-hosted azure pipelines release task, I want to deploy database updates via sqlpackage.exe to sql server.

I am currently doing this with a command line task.

The admins require a connection to sql server with a trusted domain account that is different from the account running the pipeline agent. The specific account will be different for different databases. (They do not allow a sql server login w/ username and password that I can give to sql package.exe)

So In an azure devops task, is there any way to run a command under a different domain account than the one the agent is running under (i.e. impersonate a different account)?

9b5b
  • 1,508
  • 11
  • 20
  • At a guess.... you might need one deploy agent per database. Which seems over the top, but I would say the requirement of a different windows account per _database_ is also a bit over the top. Also Will the admins supply you with credentials or do they want to be able to rotate / maintain them themselves? I'm not very experienced with on-prem DevOps but I assume it's very similiar to Azure DevOps – Nick.Mc Jan 10 '20 at 02:15
  • As I understand it, you can have multiple agents on one host (VM or whatever), and I _beleive_ each agent can have it's own service account (but you'll need to verify that). – Nick.Mc Jan 10 '20 at 02:17
  • I see... It's probably not a different windows account per individual database, but probably segmented by different groups of applications and environment, e.g. APPGROUP1_TEST, APPGROUP1_PROD etc. – 9b5b Jan 10 '20 at 02:29
  • It would make sense to have an agent per application group with its own windows account then you pick the agent at deploy time. – Nick.Mc Jan 10 '20 at 02:36
  • So is there no way to have the agent run sqldeploy impersonating another user? – Jason Rodman Jan 22 '20 at 17:14

0 Answers0