This article is a follow-up post on my previous one about “Unlocking Efficiency with Container Jobs in Azure DevOps” available here. That article demonstrated the use of “Container Jobs” but more specifically a job containing the SAS Viya CLI (Command Line Interface). Now what you will need is a way to authenticate during the run of your Azure pipeline.

 

Our odyssey begins with the SAS Viya CLI, choreographing the Auth Code method for authentication, and seamlessly segues into the Azure Key Vault, where credentials.json finds a secure sanctuary. But that is not all; we are threading this narrative into the broader tapestry of configuring an environment through the Azure DevOps pipeline using this credential.json file.

 

Overall process

 

The main authentication steps are illustrated in the following diagram:

 

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

If you have not already installed your SAS Viya CLI, my colleague David Stern did a great post documenting all the steps here. There is also a YouTube video from the SAS Users channel available here. If you are looking for ideas or use-cases for the the SAS Viya CLI, here is a list of SAS Communities posts referencing the SAS Viya CLI.

 

Once this is done, you should be able to authenticate using the “Auth Code” method. I am recommending this method as it should be valid for any of your deployed authentication process (Direct LDAP / OpenID Connect or SCIM).

 

In the following steps, I have assumed you are on Windows and have deployed the SAS Viya CLI under the Download/sas-viya-cli folder. This should be easily adapted if you are on a Mac or Linux.

 

1. Authenticate on Azure & on SAS Viya using their CLIs

 

Copy & Paste the following instructions in a Windows Command prompt (cmd):

 

:: Variables section
set PATH=%PATH%;%userprofile%\Downloads\sas-viya-cli
set EP

:: sign in to Azure
az login --output none
:: sign in to SAS Viya
sas-viya profile init --sas-endpoint %EP% --output text --colors-enabled yes
sas-viya authenticate loginCode

 

NOTE: Replace sas-communities.demo.sas.com with your SAS Viya URL. Once prompted to do so, open the provided URL and authenticate to your SAS Viya Environment. This step will generate a credentials.json file that will contain your access and refresh tokens that you will need to share with your pipeline for later execution on your behalf. This file will be stored here : %userprofile%/.sas/credentials.json.

 

2. Create a resource group on Azure to hold the Azure Key Vault (if you do not have one you want to use)

 

Copy & Paste the following instructions in in a Windows Command prompt (cmd):

 

:: Variables section
set RG=SAS-COMMUNITIES-RG

az group create --location eastus2 --resource-group %RG% --output table

 

3. Create your Azure Key Kault (if you do not have one you want to use)

 

Copy & Paste the following instructions in a Windows Command prompt (cmd):

 

:: Variables section
set RG=SAS-COMMUNITIES-RG
set KV=SAS-COMMUNITIES-KV

az keyvault create --name %KV% --resource-group %RG% --output table

 

4. Upload your credentials.json into a secret into Azure KeyVault

 

Copy & Paste the following instructions in a Windows Command prompt (cmd):

 

:: Variables section
set SC=Service for Pipeline Execution
set KV=SAS-COMMUNITIES-KV
set CR=SAS-COMMUNITIES-CREDS

az keyvault secret set --vault-name SC% --name %CR% --file %userprofile%/.sas/credentials.json

 

5. Check the existence in the Microsoft Azure Portal

 

Go to: Home >> Key Vaults >> SAS-COMMUNITIES-KV >> Secrets >> SAS-COMMUNITIES-CREDS >> Select the “Current Version” id

 

 

Modify your pipeline to consume the credentials.json from Azure Key Vault

 

Now that you have uploaded your credentials into a Microsoft Key Vault secret, the next step is to modify your pipeline in order to consume them.

 

1. Identify your Service connection in your Azure DevOps pipeline

 

On my previous blog post you should spot the name after the AzureScription, in my case I used

 

variables:
    azureSubscription: Service for Pipeline Execution

 

On Azure DevOps, you can also confirm the name by clicking on “Project Settings” >> “Service Connections”

 

 

Here is some more information on Service Connection from the Azure documentation: Manage service connections

 

2. Give the appropriate rights on your Azure KeyVault

 

Your pipeline will need to be able to read your Azure Key Vault entry. To enable this, you will need to set two policies (get and list) on your Azure KeyVault for your Service Connection (aka. Service principals).

 

:: Variables section
set SC=Service for Pipeline Execution
set KV=SAS-COMMUNITIES-KV

for /f %i in ('az ad sp list --filter "displayname eq '%SC%'" --query "[].appId" --output tsv') do set SP_ID=%i
az keyvault set-policy --name  %KV% --object-id %SP_ID% --secret-permissions get list --output table

 

3. Update your Azure DevOps pipeline definition

 

This extract is taken from my previous post that you will need to update :

 

- task: Bash@3 # Second task referenced in the explanation bellow
  inputs:
    targetType: 'inline'
    script: |
      # set -x
      VIYA_URL=https://myownviya.communities.sas.com
      KV=SAS-COMMUNITIES-KV
      CR=SAS-COMMUNITIES-CREDS
      sas-viya profile init --sas-endpoint https://$VIYA_URL --output json  --colors-enabled yes
      rm -Rf /home/vsts_azpcontainer/.sas/credentials.json 2>/dev/null
      az keyvault secret download \
        --file /home/vsts_azpcontainer/.sas/credentials.json \
        --name $CR --vault-name $KV
      sas-viya --verbose configuration configurations list

 

If all went as expected, this task will display a list of configurations for your SAS Viya environment. Now, it is up to you to script whatever you want to automate using the SAS Viya CLI (i.e. User creation, folder creations, rules assignments, configurations deployment, …).

 

Conclusion

 

In conclusion, this post has walked you through the process of streamlining SAS Viya authentication in Azure DevOps. Starting with the SAS Viya CLI and the Auth Code method for authentication, we seamlessly integrated the Azure Key Vault to securely store credentials. The journey continued with configuring your environment through the Azure DevOps pipeline, using the credentials.json file generated through the authentication process.

 

By following the step-by-step instructions, you have learned how to:

 

1. Generate credentials using the local SAS Viya CLI.
2. Authenticate on Azure and SAS Viya using their CLIs.
3. Create a resource group and Azure Key Vault to securely store your credentials.
4. Identify and set up your Service Connection in Azure DevOps.
5. Grant appropriate rights on your Azure Key Vault for your Service Connection.
6. Upload the credentials.json into the Azure Key Vault as a secret.
7. Modify your Azure DevOps pipeline to consume the credentials from the Azure Key Vault.

 

This guide aims to empower you to enhance the security and efficiency of your Azure DevOps pipeline when working with SAS Viya. By leveraging the capabilities of Azure Key Vault and following proven practices, you can ensure a robust and secure authentication process for your SAS Viya environment. As you embark on your journey of orchestrating SAS Viya tasks within your pipelines, this post can serve as a valuable resource, enabling you to navigate the intricacies of authentication seamlessly.