Inject Azure Key vault secrets into Azure DevOps Pipeline.

Azure Key Vault helps to securely store and manage sensitive information such as keys, passwords, certificates, etc, this prevents from exposing confidential information in source code, When working with Azure DevOps, you might need to use sensitive information like Service Principals or API keys, you can integrate pipeline with key vault with few steps and read secrets securely without configuring in Build Pipeline.

There are two way to retrieve secrets from Azure Key Vault into Pipelines

  1. Pipeline Task – Secrets are available with in the pipeline only.
  2. Variables Groups – Secrets are available across all the pipelines.

In this Post, we will look into retrieving secrets using pipeline task , will look into Variable groups in another post.

Lets Get Started.

I already have Key vault created and added couple of sample key to use from with in Pipeline, please refer Microsoft documentation for Key vault creation.

Create Service Connection in Azure DevOps organization.

Service connections enable you to connect to external and remote services to execute tasks in a job. For example, Microsoft Azure subscription, to a different build server or file server, to an online continuous integration environment, or to services you install on remote computers.

Add Key Vault Task to Pipeline.
  1. Go to Project Settings in Azure DevOps Organization.
  2. Click Service Connection and Add New Service Connection. Fill in the parameters for the service connection. The list of parameters differs for each type of service connection – see the following list.

  3. Check Grant Access Permission to all Pipelines option to allow YAML pipelines use this service connection.
  4. Choose Save to create the connection.

Add Key Vault task to pipeline
  1. Go to project in Azure DevOps and create a new Yaml Pipeline line or select existing.
  2. Select show assistant to expand the assistant panel. This panel provides convenient and searchable list of pipeline tasks.

  3. Search for vault and select the Azure Key Vault task.
  4. Select and authorize the Azure subscription you used to create your Azure key vault earlier. Select the key vault and select Add to insert the task at the end of the pipeline. This task allows the pipeline to connect to your Azure Key Vault and retrieve secrets to use as pipeline variables.

  5. SecretsFilter ‘*’ retrieves all secrets , you can also add comma separate list to get specific secrets.
  6. KeyVault values can be referred in the Pipeline by using syntax $(secretname).
  7. I’m writing to text file and publishing for testing.
  8. Save Pipeline(don’t run yet).
Set up Azure Key Vault access policies
  1. Go to Key Vault you want to integrate with Pipeline.
  2. Under Settings Select Access policies.
  3. Select Add Access Policy to add a new policy.
  4. For Secret permissions, select Get and List.
  5. Select the option to select a principal and search for yours.
    A security principal is an object that represents a user, group, service, or application that’s requesting access to Azure resources. Azure assigns a unique object ID to every security principal. The default naming convention is [Azure DevOps account name]-[Azure DevOps project name]-[subscription ID] 

  6. Select Add to create the access policy.
  7. Select Save.
Run and test Secrets retrieval in Pipeline.
  1. Run the pipeline, that was created earlier.

  2. Return to pipeline summary and select the published artifact.
  3. Under Job select the secret.txt file to view it.

  4. The text file contains our secret: ClientId

Secrets, Passwords should never be exposed in source code or pipelines. key Vault can be directly integrated with App Services, Function apps and Pipelines to retrieve secrets securely.

Inject Azure Key vault secrets into Azure DevOps Pipeline.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s