0

I wrote a powershell script for a custom TFS task (Build and Release Task). Now I need to execute some command with specific credentials. For this I create the following statement:

Start-Process powershell -Credential $mycred -Wait -ArgumentList "-file $taskDir\task.ps1" -RedirectStandardOutput C:\Temp\taskOutput.log

If I execute the command in the powershell, everything works correctly. But as soon as the command will be executed from the TFS service, it doesn't work. If I remove the -Credential $mycred parameter, the command also works in context of the TFS execution.

I guess that the problem is, that with the -Credential $mycred a new window was opened. And so it doesn't work within the TFS execution.

Anyone knows a better solution to execute a powershell script with specific credential?

Thanks!!

UPDDATE 1:

For better understanding I upload the full custom task here

Martin Schagerl
  • 583
  • 1
  • 7
  • 19
  • What TFS version are you using? – tukan Sep 25 '17 at 11:51
  • In general I would recommend using a solution already created - https://github.com/huserben/TfsExtensions/tree/master/BuildTasks. If you want to have custom BuildTasks you can extend the github one. – tukan Sep 25 '17 at 11:56
  • When the build task is executed, it's using TFS build service account? Did you mean you want to run the task with another credential in the build pipeline? – PatrickLu-MSFT Sep 25 '17 at 12:12
  • 1
    I use TFS 2015 - but in my opinion the link is not relevant for my problem. @Patrick-MSFT Exactly, I need to execute the powerschell script with another user, because the task run an EntityFramework migration with integrated security. I upload the full task, as you can see in the question. Could you understand my problem? – Martin Schagerl Sep 25 '17 at 12:31

2 Answers2

1

Using Invoke-Command instead. A related thread: Start-Job with credential in custom task problems.

$mypwd = ConvertTo-SecureString -String "[password, could use variable]" -Force -AsPlainText
$Cred = New-Object System.Management.Automation.PSCredential('[user name]',$mypwd)
$scriptToExecute = 
{
$VerbosePreference='Continue'
Write-Output "$env:UserName"
# Write-Verbose "Verbose" 4>&1
}
$b = Invoke-Command -ComputerName localhost -ScriptBlock $scriptToExecute -Credential $Cre
starian chen-MSFT
  • 33,174
  • 2
  • 29
  • 53
0

When you queue the build, all build tasks should run under your build service account such as NetworkService. If you run the script a PS window pops up and closes instantly again. It's not able to directly run the script as a different user.

TFS Builds allow you to access PAT token via a settings in build definition. These are on the fly generated PAT tokens, so you won't need to store any secret anywhere.

For running the script at a developer's machine, you can ask a developer to enter PAT or have an if else logic where you can ask him for username password.

More details please refer this link: https://learn.microsoft.com/en-us/vsts/build-release/actions/scripts/powershell#use-the-oauth-token-to-access-the-rest-api

You could also take a look at this similar question: Powershell / VSTS Build - Store Credentials Independent/ Agnostic of User Running Script

PatrickLu-MSFT
  • 49,478
  • 5
  • 35
  • 62
  • Thanks, but this doesn't solve my problem. My problem is, that if I want execute a script with specific credentials, than the powershell open a new window for the `Start-Process` command. But by executing this from the tfs build service, the process which is specified in the `Start-Process` argument will not execute. – Martin Schagerl Sep 26 '17 at 10:14