Search code examples
azure-devopsazure-pipelinesazure-pipelines-tasks

Unable to download secure files conditionally in Azure Pipelines

Question I am using DownloadSecureFile@1 task to download Secure files. The issue occurs when in Azure DevOps, in the Library's secure files section, only file_A.txt exists. The script works fine when both files exists.

In my case, a user A will only need file_A.txt, user B will only need file_B.txt. Is this an expected behavior? Any possible workarounds to fulfill the use-case?

Error Message: There was a resource authorization issue: "The pipeline is not valid. Job Job: Step fileB input secureFile references secure file file_B.txt which could not be found. The secure file does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."

Code:

parameters:
- name: file_name
  type: string
  default: ''
  values:
    - file_A.txt
    - file_B.txt


pool:
  vmImage: ubuntu-latest
steps:
    - task: DownloadSecureFile@1
      displayName: Download File A
      condition: eq('${{ parameters.file_name }}', 'file_A.txt')
      name: fileA
      inputs:
        secureFile: 'file_A.txt'        

    - task: DownloadSecureFile@1
      displayName: Download file B
      condition: eq('${{ parameters.file_name }}', 'file_B.txt')
      name: fileB
      inputs:
        secureFile: 'file_B.txt'
Solution

  • Instead of using the condition on the tasks you can surround the step with an if-statement as described in use parameters to determine what steps run

    parameters:
- name: file_name
  type: string
  default: ''
  values:
    - file_A.txt
    - file_B.txt

pool:
  vmImage: ubuntu-latest
steps:
- ${{ if eq(parameters.file_name, 'file_A.txt') }}:
  - task: DownloadSecureFile@1
    displayName: Download File A
    name: fileA
    inputs:
      secureFile: 'file_A.txt'        
- ${{ if eq(parameters.file_name, 'file_B.txt') }}:
  - task: DownloadSecureFile@1
    displayName: Download file B
    name: fileB
    inputs:
      secureFile: 'file_B.txt'

    However if every user needs exactly one file, a common (and cleaner) option would be to provide the name of the file needed as a parameter. If a secure file is not needed (i.e the parameter is the default empty) the step can be excluded using an if statement

    parameters:
- name: file_name
  type: string
  default: ''
  values:
    - file_A.txt
    - file_B.txt

pool:
  vmImage: ubuntu-latest
steps:
- ${{ if ne(parameters.file_name, '') }}:
  - task: DownloadSecureFile@1
    displayName: Download Secure File 
    name: secureFileDownload
    inputs:
      secureFile: '${{ parameters.file_name }}'