Powershell / VSTS Build - Store Credentials Independent/ Agnostic of User Running Script

Question

I'm trying to create a script for a build that checks out a file, edits it and checks it back in.

I want it to work when running as a developer, or as a build agent.

I have a solution similar to this, whereby the password is stored in a file and retrieved for the build.

i.e.

File creation:

read-host -prompt Password -assecurestring | convertfrom-securestring | out-file .\ps-password.pwd -ErrorAction Stop

File use:

# *VSTS Login*
$Username = $tfsUserName
$Password = Get-Content $tfsUserPasswordPath | ConvertTo-SecureString

$creds = New-Object -typename System.Management.Automation.PSCredential -ArgumentList $Username,$Password
$tfsServer = New-Object System.Uri("https://myaccount.visualstudio.com")
$tfsCollection = New-Object Microsoft.TeamFoundation.Client.TfsTeamProjectCollection($tfsServer,$creds)
$tfsCollection.Authenticate()
"***************** Authenticated *****************"

" *VSTS Check Out file* from $fileToUpdate"
Add-TfsPendingChange -Edit -Item $fileToUpdate -Verbose -ErrorAction Stop -wa 0


# read the file, update the number and save it back
$stuff = Get-Content $fileToUpdate
# modify stuff
Set-Content -Value $stuff -Path $fileToUpdate


# *VSTS Check In* Check in the file after changes.
" *VSTS Check In"
New-TfsChangeset -Item $fileToUpdate -Verbose -Comment "***NO_CI***" -Override true -ErrorAction Stop

SecureStrings are based on the machine/users account, so the build works fine when I run from Powershell ISE as my account, but not when triggered from the build server (it runs as NetworkService for now).

I have tried following this post to create the password file as 'Network Service' as well as trying a key for the secure string, but can't get anything to work under both my user and Network Service.

How can I simply store credentials that will work idependently of the user running the script?

Or is this just the wrong way to do it, and I should be using a PAT somehow?

Answer 1

Builds allow you to access PAT token via a settings in build definition. These are on the fly generated PAT tokens, so you won't need to store any secret anywhere.

For running the script at a developer's machine, you can ask a developer to enter PAT or have an if else logic where you can ask him for username password.

More info at

https://www.visualstudio.com/en-us/docs/build/scripts/#use-the-oauth-token-to-access-the-rest-api

Update (full solution):

In your build, you must go to 'Options' and turn on 'Allow scripts to access OAuth token'.

Your final script will look something like the following.

Add-PSSnapin Microsoft.TeamFoundation.PowerShell
# This file requires the TFS Power Tools (2015+). When installing, you must select Custom Installation and select PowerShell Cmdlets

# *VSTS Login*
$url = "$($env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)$env:SYSTEM_TEAMPROJECTID/_apis/build/definitions/$($env:SYSTEM_DEFINITIONID)?api-version=2.0"
Write-Host "URL: $url"
$definition = Invoke-RestMethod -Uri $url -Headers @{
    Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"
}
Write-Host "Definition = $($definition | ConvertTo-Json -Depth 100)"
"***************** Authenticated *****************"

" *VSTS Check Out file* from $fileToUpdate"
Add-TfsPendingChange -Edit -Item $fileToUpdate -Verbose -ErrorAction Stop -wa 0


# read the file, update the number and save it back
$stuff = Get-Content $fileToUpdate
# modify stuff - make sure you actually make a change!
Set-Content -Value $stuff -Path $fileToUpdate


# *VSTS Check In* Check in the file after changes.
" *VSTS Check In"
New-TfsChangeset -Item $fileToUpdate -Verbose -Comment "***NO_CI***" -Override true -ErrorAction Stop