Accessing Azure Artifacts from a docker container in a Pipelines build
In my previous post I talked about how our team is publishing NuGet packages using Azure Pipelines to a DevOps Artifacts feed. Now it’s time to consume those packages. There are plenty of examples on how to connect to a feed in Build, but our case is a bit different because our applications are containerized. The purpose of this post is to share specifically how we authorize access to Artifacts from a docker build context in an Azure DevOps Build.
Please see this Gist for full code references.
The purpose of using Azure Artifacts is to avoid a public package manager because the team is writing IP into shared libraries. It should then come as no surprise that there are a few additional steps required to ensure that your docker build context has appropriate access to Azure DevOps.
The docker build context is isolated from Azure DevOps, meaning that it should be considered a sandboxed build that doesn’t share environment variables and access that typical Build tasks would. The trick to authorizing a docker build is to use a Personal Access Token as a rotatable key that tells Azure DevOps that it is authorized to pull packages from Artifacts. Start by creating a PAT: click your avatar in the upper right of DevOps then Security in the dropdown. Make sure it has access to Packaging.
Pipelines variable group
The next step is to create a group of variables that you can share between all Build definitions. I created an Artifacts group and added an
artifactsAccessToken (this is your Private Access Token) and
artifactsEndpoint which I got from clicking Connect to Feed from my Artifacts feed.
CI and CD builds
Go ahead and create your CI and CD builds and feel free to use my files as a template. Note that I am specifically passing in the variables I created in the variable group above using the following method:
... variables: - group: Artifacts ... steps: - task: Docker@1 displayName: 'Build an image' inputs: ... arguments: '--build-arg ARTIFACTS_ENDPOINT=$(artifactsEndpoint) --build-arg ACCESS_TOKEN=$(artifactsAccessToken)'
This ensures that the variables get mapped to the
Dockerfile ARGS that we also need to define.
Important: once you create the build in DevOps, you need to click through Variables > Variable groups and click Link variable group. This is a security feature and is a required step.
Now that we have builds set up, create a
Dockerfile that defines how your app is build and run. To use the variables we passed in via Build above, create
ARTIFACTS_ENDPOINT ARGS to accept them. The key changes from a typical
Dockerfile is that you need to install the Azure Artifacts Credential Provider and then set the
VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variables to let it do its job. Also, alter your
dotnet restore task to use the new feed endpoint.
Now run through the entire process and make sure everything works correctly. If so, you should have a new docker container image ready for deployment! Please reach out if you have any questions or a different approach.
Share this post!