I have an Azure Devops Infrastructure As Code (IAC) allowing users to deploy virtual machines using terraform pipelines and to access them using SSH or RDP.
For the moment, the process is the following:
- Repositories host virtual machine settings. A user creates a branch of a repository and runs a pipeline on this branch to create their own virtual machine.
- The pipeline creates an instance of a virtual machine based on the branch settings, generates a password to access the vm, stores it in a keyvault and print the password in the pipeline's output.
- The user retrieves the vm password in the pipeline output.
The issue is that it's not possible to have access control over branches (i.e. read access), and any user having access to a repository can access the pipeline' outputs of all branches and retrieve the password, thus can access the instances of other users.
How can I manage to make passwords readable only to users (or group of users) running a pipeline from their own branches?
