Add Google JSON Auth file in Azure DevOps Release Pipeline

What is Json Auth File?

To understand what Json Auth File is for we need to know what Google Service Accounts stands for. As it stands in the documentation “A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.” “Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate to Google: Google – managed keys and user-managed keys.” And that is what Json Auth File stands for.

More on this can be read on:
Google Cloud – Service accounts
Google Cloud – Verifying credentials

If we try to explore the Json auth file we can see that it’s format looks like this:

  "type": "",
  "project_id": "",
  "private_key_id": "",
  "private_key": "",
  "client_id": "",
  "auth_uri": "",
  "token_uri": "",
  "auth_provider_x509_cert_url": "",
  "client_x509_cert_url": ""

We will use this file to Authenticate our Azure DevOps account with the Google console. That way we will be able to manage our deploys right from there.

How to use the Json Auth File.

Lets navigate to our project on Azure DevOps.

First, we need to securely store our Json Auth file. To make that possible, save the file under Pipelines->Library by adding new secure file on +Secure file button

The next thing to do is to edit the existing release pipeline for our app. Go into the tasks of the stage that deploys the app. Before “Google Play – Release Bundle” task add one more:

Download Secure File

  1. Download Secure File
    1. Add in the tasks “Download Secure File” task by Matt Labrum. Optionally you can use the other task by Microsoft Corporation.
    2. In Display name add a representative name for your task e.g. “Download Secure Json File”.
    3. In Secure file choose the json file that we previously added in the Library.
    4. In the Target path folder we set the folder to download where the file needs to be downloaded. Because this is a secure file we need to be sure that when the job completes whether it succeeds, fails, or is canceled, the secure file is deleted from its download location. That’s why we have to set the target folder as $(mySecureFile.secureFilePath) or $(Agent.TempDirectory)
    5. In Target file name choose a name that will represent the json file e.g. “ourappjsonfile.json”

Once we have that all set up our task will look something like this:

Download secure file task
- task:
  displayName: 'Download Secure Json File'
    fileInput: ourappjsonfile.json
    targetPath: '$(Agent.TempDirectory)'
    targetName: ourappjsonfile.json

After the set up the job should look something like this:

Add changes to the Google play task

Navigate to the Google Play – Release Bundle task.

  1. In the Authentication method choose Json Auth File
  2. Once that is chosen new field will appear JSON key path. Put the Target path folder/Target file name from the Download secure task. It should look something like this: $(Agent.TempDirectory)/ourappjsonfile.json

Save & Queue.

Authenticate Google Play with Azure DevOps

Why we need the Google Play service connection?

We use the service connections to connect an external service for the purpose to execute tasks in a job. To release a Xamarin.Android app (or any other Android app in general) more particularly an executable file .apk/.aab through Azure DevOps we have two authentication methods to connect to Google Play store. By Service connection or by using the Json Auth File. For both methods the first few steps are the same and in the end decide which method we prefer more. To achieve that we need first to set up the Service account. (If you want to learn more on service accounts read the link: Google Cloud – Service accounts

Create Service account on Google Play Console

Navigate to Google Play Console. Note that to make these changes we need to have owner role. Once logged in with the correct role follow these steps:

  • Select Settings from the menu.
  • From Developer account menu choose API access Sub Menu
  • At the bottom section Service Accounts choose Create Service Account. We will be provided with a few steps that need to be done in order to create a service account. Let’s see them in details:
    • Press on +Create service account
    • Add service account name, we can see that the Service account ID is created for us, we can make some changes by editing the field independently
    • Service account description is optional so we can leave it empty for now
  • By clicking create we will proceed on the second steps
    • To have full access to all resources choose for role: Project -> Owner
  • By clicking Continue we will proceed to the last step
    • Here you can grant access for more users or groups. But since it is optional let’s leave it empty for now.
  • By clicking Done new service account will be created.
  • Navigate to Service account details by clicking on created service account.
    • At the bottom under Key section choose Add Key
    • Choose JSON
    • The Json File will be automatically created and downloaded locally on our PC
  • Get back to Google Play Console, we can now see that under Service accounts new account was created for us. Just accept the premissions, and add some edits if needed.

Authorize Azure DevOps with Google Play

  • Under Authentication method choose the preferred method for your pipeline

Authorize Azure DevOps with Google Play using the JSON Auth File

  • If you you choose JSON Auth File the new required field JSON key path will appear.

Authorize Azure DevOps with Google Play using Service connection

  • If you you choose Service connection the new required field Service connection will appear.

Here we have two options, to create a connection for this particular project by clicking the +New button or to add global Service by clicking on Manage. If you have multiple projects on the same Google play console account I would prefer setting that is in the Service connection under Project Settings – by clicking Manage.

  • By choosing the second option, we will be directed to Project settings -> Service connections
  • Search for Google Play and choose it. Click Next. Open the downloaded .json file
    • In Service Account E-mail copy the client_email value from the .json file
    • In Private Key copy the private_key value from the .json file
    • In Service connection name add Connection Name you find representative for this connection
    • Description is optional so let’s leave it empty by now

Click save.

  • Navigate back to Release task and refresh the Service connection field. The connection will appear. Choose it and save.


Release Android App Bundle for Xamarin.Android apps using Azure DevOps

In this article, we are going to explain how to release the artifact to Google Play store created from a previous successful build. For more on how to create a build pipeline visit this link: Android App bundle for Xamarin.Android Apps Using Azure DevOps build pipeline

Let’s start

Navigate to Releases sub-menu from the Pipelines menu and create a new release pipeline or edit the existing one. If you are going with a new release pipeline choose an empty job as a template. Once that is done New release pipeline will be added, ready for edits.

By clicking on Add an artifact choose as source type the build definition you used for building the solution and creating the artifact file. It should look something like this:

By pressing on the Add button the artifact will be linked and ready to proceed to the stage. Next, select the stage that is intended to deploy the app to Play store and navigate to Tasks.

If we search for Google Play tasks we can see there are several different tasks for deploying the app to the store. If we were about to choose the oldfashioned way for deploying the app to Play Store by providing a .apk file we would have chosen the Google Play – Release task. But because now we have the .aab file we need the Google Play – Release Bundle task.

By adding the task we can see there are several fields that are required for successful deployment:

  1. Service connection – Google Play service connection that is configured with your account credentials.
  2. Application id ( – The application id of the bundle you want to release, e.g.
  3. Bundle path – path to the bundle (.aab) file you want to publish to the specified track. Wildcards can be used. For example, */.aab to match the first APK file, in any directory.

One by one

Lets take a look at them, one by one:

  1. Service connection:
    Here is needed to authenticate with Play Store service so we can upload our .aab file. There are two methods for authentication: by using a Service connection or the Json Auth File. More on how to perform that see on this link: Authenticate Google Play with Azure DevOps. Once that is set correctly we are able to connect to the store and have a secure delivery for the app from this to that service.
  1. Application id (
    This refers to the package name. You can check that in your AndroidManifest.xml file
  1. Bundle path
    Choose the .aab file you want to deploy from linked artifats.

And finally select the track you want to publish the bundle to. The Internal is selected by default.

There are other additional options in the pipeline that can be defined but with this is enough to deploy the app successfully to Play store.

Save & Create a release.

Android App Bundle for Xamarin.Android apps using Azure DevOps and App Center

Few days passed since the amazing event – Xamarin Experts Day and most of the questions I got were how to support the new presented upload format Android App Bundle – .aab using Azure DevOps and AppCenter since my topic was DevOps: Continuous delivery for Xamarin application, Azure DevOps and App Center, and in the demo I was using a Xamarin.Android build definition.

Note: The source code used for the build definition can be found on Github

And YES, more than expected, because many of us has seen this warning when creating a release on Play Store.

Further more, this awesome new publishing format will allow us to deliver smaller app, optimized for lots of devices and factors. If still not using it do not worry, Xamarin team already took care for all. You can read more in the Official site for Android developers or in the initial support for Xamarin.Android in Xamarin.Android 9.4 release notes and the Xamarin.Android 10.0 release notes

Android App Bundle with Azure DevOps

Prepare your app

Before looking into the processes, let’s take a look at the steps that need to be done, so your app will be prepared for deployment in this format.

Set AndroidPackageFormat property. It can be done by adding these lines of code in the .csproj file for the Android project.

<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">



Edit your build definition

With all this set up navigate to Azure DevOps and edit the Android build definition. The definition that builds the app should look something like this:

For now just disable the current Xamarin.Android task that builds the Android app with Xamarin. It is important not to delete it because soon this feature will be available directly in this task. But let’s take a look at the alternative for now. 

Search for MsBuild task, that builds with MSBuild. After adding it, in the Project field set your Android .csproj file and set the MsBuild options like they are on your Xamarin.Android task. 

Next thing to do is to add additional arguments for the build. Set these arguments in the MSBuild Arguments field:








When AndroidPackageFormat is set as shown above, the SignAndroidPackage will create the .aab file in the bin directory, respectively in the chosen build configuration folder – the Release folder.

In the AndroidSigningKeyStore set the path where you store your .keystore file, if downloading from Secure Files – Library, check the target path folder inserted in the Download Secure File task.

After setting all these your YAML should look something like this:


- task: MSBuild@1

  displayName: 'Build XamExpertsDay App'


    solution: XamExpertsDay.Android/XamExpertsDay.Android.csproj

    msbuildArchitecture: x64

    msbuildArguments: '-t:SignAndroidPackage -p:Configuration=Release -p:AndroidKeyStore=True -p:AndroidSigningKeyStore=$(KeyStoreName) -p:AndroidSigningStorePass=$(KeyStorePass) -p:AndroidSigningKeyAlias=$(KeyStoreAlias) -p:AndroidSigningKeyPass=$(KeyPass)'

Running this task will sign the app, so the Android Signing task will no longer be needed. Disable that task, or just simply remove it.

Few more additional steps

The MSBuild will create the .aab file in the bin folder within the Android Project folder. If the folder or file path you want to publish is Artifact staging directory or Binary directory and you want to continue using them in the artifact for publishing, add the Copy files task in between and move the .aab file there. For source folder set the path to .aab file and for target folder the publishing path.

After filling in this the YAML for Copy files task should look something like this:


- task: CopyFiles@2

  displayName: 'Copy .aab to Binaries directory'


    SourceFolder: '$(System.DefaultWorkingDirectory)/XamExpertsDay.Android/bin/$(BuildConfiguration)/com.xamexpertsday.devopsdemo-Signed.aab'

    TargetFolder: '$(build.binariesdirectory)/$(BuildConfiguration)'

With setting all these the build definition should look like this:

Next redeploy the app, and everything will be ready for publishing.

Once we have the .aab file the build artifacts we will probably need to deploy it on the Play Store. To see how to do that visit this link: Release Android App Bundle for Xamarin.Android apps using Azure DevOps

Android App Bundle with App Center

For App Center just use the simple switch, that can be found by editing the already existing Android Build Definition.

Save & Build. Done 🙂