BookmarkSubscribeRSS Feed

Streamlining SAS Viya Authentication in Azure DevOps

Started ‎02-19-2024 by
Modified ‎02-19-2024 by
Views 258

This article is a follow-up post on my previous one about “Unlocking Efficiency with Container Jobs in Azure DevOps” available here. That article demonstrated the use of “Container Jobs” but more specifically a job containing the SAS Viya CLI (Command Line Interface). Now what you will need is a way to authenticate during the run of your Azure pipeline.


Our odyssey begins with the SAS Viya CLI, choreographing the Auth Code method for authentication, and seamlessly segues into the Azure Key Vault, where credentials.json finds a secure sanctuary. But that is not all; we are threading this narrative into the broader tapestry of configuring an environment through the Azure DevOps pipeline using this credential.json file.


Overall process


The main authentication steps are illustrated in the following diagram:



Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.


If you have not already installed your SAS Viya CLI, my colleague David Stern did a great post documenting all the steps here. There is also a YouTube video from the SAS Users channel available here. If you are looking for ideas or use-cases for the the SAS Viya CLI, here is a list of SAS Communities posts referencing the SAS Viya CLI.


Once this is done, you should be able to authenticate using the “Auth Code” method. I am recommending this method as it should be valid for any of your deployed authentication process (Direct LDAP / OpenID Connect or SCIM).


In the following steps, I have assumed you are on Windows and have deployed the SAS Viya CLI under the Download/sas-viya-cli folder. This should be easily adapted if you are on a Mac or Linux.


1. Authenticate on Azure & on SAS Viya using their CLIs


Copy & Paste the following instructions in a Windows Command prompt (cmd):


:: Variables section
set PATH=%PATH%;%userprofile%\Downloads\sas-viya-cli
set EP

:: sign in to Azure
az login --output none
:: sign in to SAS Viya
sas-viya profile init --sas-endpoint %EP% --output text --colors-enabled yes
sas-viya authenticate loginCode


NOTE: Replace with your SAS Viya URL. Once prompted to do so, open the provided URL and authenticate to your SAS Viya Environment. This step will generate a credentials.json file that will contain your access and refresh tokens that you will need to share with your pipeline for later execution on your behalf. This file will be stored here : %userprofile%/.sas/credentials.json.


2. Create a resource group on Azure to hold the Azure Key Vault (if you do not have one you want to use)


Copy & Paste the following instructions in in a Windows Command prompt (cmd):


:: Variables section

az group create --location eastus2 --resource-group %RG% --output table


3. Create your Azure Key Kault (if you do not have one you want to use)


Copy & Paste the following instructions in a Windows Command prompt (cmd):


:: Variables section

az keyvault create --name %KV% --resource-group %RG% --output table


4. Upload your credentials.json into a secret into Azure KeyVault


Copy & Paste the following instructions in a Windows Command prompt (cmd):


:: Variables section
set SC=Service for Pipeline Execution

az keyvault secret set --vault-name SC% --name %CR% --file %userprofile%/.sas/credentials.json


5. Check the existence in the Microsoft Azure Portal


Go to: Home >> Key Vaults >> SAS-COMMUNITIES-KV >> Secrets >> SAS-COMMUNITIES-CREDS >> Select the “Current Version” id




Modify your pipeline to consume the credentials.json from Azure Key Vault


Now that you have uploaded your credentials into a Microsoft Key Vault secret, the next step is to modify your pipeline in order to consume them.


1. Identify your Service connection in your Azure DevOps pipeline


On my previous blog post you should spot the name after the AzureScription, in my case I used


    azureSubscription: Service for Pipeline Execution


On Azure DevOps, you can also confirm the name by clicking on “Project Settings” >> “Service Connections”




Here is some more information on Service Connection from the Azure documentation: Manage service connections


2. Give the appropriate rights on your Azure KeyVault


Your pipeline will need to be able to read your Azure Key Vault entry. To enable this, you will need to set two policies (get and list) on your Azure KeyVault for your Service Connection (aka. Service principals).


:: Variables section
set SC=Service for Pipeline Execution

for /f %i in ('az ad sp list --filter "displayname eq '%SC%'" --query "[].appId" --output tsv') do set SP_ID=%i
az keyvault set-policy --name  %KV% --object-id %SP_ID% --secret-permissions get list --output table


3. Update your Azure DevOps pipeline definition


This extract is taken from my previous post that you will need to update :


- task: Bash@3 # Second task referenced in the explanation bellow
    targetType: 'inline'
    script: |
      # set -x
      sas-viya profile init --sas-endpoint https://$VIYA_URL --output json  --colors-enabled yes
      rm -Rf /home/vsts_azpcontainer/.sas/credentials.json 2>/dev/null
      az keyvault secret download \
        --file /home/vsts_azpcontainer/.sas/credentials.json \
        --name $CR --vault-name $KV
      sas-viya --verbose configuration configurations list


If all went as expected, this task will display a list of configurations for your SAS Viya environment. Now, it is up to you to script whatever you want to automate using the SAS Viya CLI (i.e. User creation, folder creations, rules assignments, configurations deployment, …).




In conclusion, this post has walked you through the process of streamlining SAS Viya authentication in Azure DevOps. Starting with the SAS Viya CLI and the Auth Code method for authentication, we seamlessly integrated the Azure Key Vault to securely store credentials. The journey continued with configuring your environment through the Azure DevOps pipeline, using the credentials.json file generated through the authentication process.


By following the step-by-step instructions, you have learned how to:


  1. Generate credentials using the local SAS Viya CLI.
  2. Authenticate on Azure and SAS Viya using their CLIs.
  3. Create a resource group and Azure Key Vault to securely store your credentials.
  4. Identify and set up your Service Connection in Azure DevOps.
  5. Grant appropriate rights on your Azure Key Vault for your Service Connection.
  6. Upload the credentials.json into the Azure Key Vault as a secret.
  7. Modify your Azure DevOps pipeline to consume the credentials from the Azure Key Vault.


This guide aims to empower you to enhance the security and efficiency of your Azure DevOps pipeline when working with SAS Viya. By leveraging the capabilities of Azure Key Vault and following proven practices, you can ensure a robust and secure authentication process for your SAS Viya environment. As you embark on your journey of orchestrating SAS Viya tasks within your pipelines, this post can serve as a valuable resource, enabling you to navigate the intricacies of authentication seamlessly.

Version history
Last update:
‎02-19-2024 03:44 AM
Updated by:


Don't miss out on SAS Innovate - Register now for the FREE Livestream!

Can't make it to Vegas? No problem! Watch our general sessions LIVE or on-demand starting April 17th. Hear from SAS execs, best-selling author Adam Grant, Hot Ones host Sean Evans, top tech journalist Kara Swisher, AI expert Cassie Kozyrkov, and the mind-blowing dance crew iLuminate! Plus, get access to over 20 breakout sessions.


Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags