Skip to content

Manage IAM Access Key Of AWS Service Connection In Azure DevOps Pipeline

Posted on:April 23, 2023Β atΒ 03:57 PM

image

πŸš€ Abstract

Table Of Contents

Open Table Of Contents

πŸš€ Solution overview

πŸš€ Process flow detail

πŸš€ Lambda function - Rotate Access key and update to secret manager

πŸš€ Lambda function - Send to slack

πŸš€ Lambda function - Azure DevOps service connection

  1. Solution of creating Azure DevOps service connection - Using lambda function, but there are two ways for this - Build lambda custom layer which contains Azure DevOps Python module to run Azure DevOps CLI - Build docker lambda container image

  2. Challenges - Why do we have challenges here? Big issue azure-cli package could lose some weight. At the time of writing this post, installing or packaging azure-cli takes more than 1GB size which is too big for the lambda function, especially custom lambda layer has a limit of 250 MB (unzipped) for the deployment zip file - Fortunately, there is a workaround to reduce the size of the docker image by just installing enough Azure cli libraries

  3. Build lambda container image using codepipeline - Dockerfile which builds container image just about 299.41 MB. The lambda container image plays as azure CLI to run azure DevOps commands - For CI, build and automate deploy to lambda docker container image, we use Codepipeline with the following stages

    • Pull Source code for commit merge to master

    • Trigger codebuild with buildspec.yml

  4. We can use azure-DevOps-Python-api to write Python code for handling ADO service connection but using its wrapper tool such as Azure DevOps CLI is much more convenient so I write bash script run.sh and use Python to execute it

    subprocess.check_call(f"export AZURE_DevOps_EXT_PAT={_pat}; ./run.sh {access_key} {cred}", shell=True)

πŸš€ Test the step function

πŸš€ Conclusion


References: