AzureDevOps: Deploying Secrets from Azure Pipelines
https://c.statcounter.com/11943055/0/16ca2229/0/
Introduction
We know that Web Apps secrets can be managed from azure key vault using some secrets.json/secrets.xml. There is another easy way of handling the secrets without hanging anything from the code like installing Nuget package/referring Azure Keyault in the code. Here we are going to use simple way in AzureDevOps Release pipeline and Deploy Azure App Service Task for managing all our secrets.
Step 1 - Remove secrets from the code
Remove all your secrets/connection string from your code before check-in to the source control.
Step 2 - Create secrets in Azure Key Vault
Create an Azure Key Vault and add all your secrets in the Key Vault. You can see the below reference on how to create secrets in azure key vault.
Step 3 - Azure DevOps Magic
Now It's time to do some magic in Azure DevOps
- We will create a new Azure Release Pipeline in Azure DevOps( You can see the below reference section on how to create a azure release pipeline)
- Hereafter all you need is a single task to add in the pipeline which is called "Azure App Service Deploy" and make sure who have the version 3.* (0r) higher - Please note that version is IMPORTANT HERE this will not work with the below version
- Now, we are going to bring our secrets from azure keyvault into our release pipeline through **Variable groups.**So, lets create a variable group
Variables->Variable Groups -> Manage Variable Groups
-
- It will open a new tab, from there you can create a new variable group.
-
- While creating the variable group,you need the enable the toggle bar called Link secrets from an Azure Key vault as variables - This lets you to access your azure subscription and key-vault like below
-
- Then you can add all your secrets in to the variable group using the Add button at the bottom. Once you added, this will look like below
-
- Save your variable group then come back into the previous tab where you can link the variable group into our pipeline.(like below)
- Now we can go into the Deploy Azure App Service Task and find the Application and configuration setting *(Which will be available only from Ver 3.*) *
This is place where we will assign the the values for our secrets from the variable groups,depends on your configuration like whether App Settings/Configuration settings m, you need to select and the menu and follow the below instruction
- Click the three dots menu from where you want to add configuration, for this demo I choose App Settings and start adding the config values which you need to retrieve from azure key vault
The Name column should be equal to your original config name and the value should be dollar ($) surrounded with the name of the secrets from the key vault (see below)
Here Deploy Azure App Task internally using powershell to retrieve the secrets from key vault, so we need to use $ for that.
- That's it save all your works, and run the release pipeline. After the run, you can see the below steps in the logs, where pipeline will download the secrets from key vault into the variable group during only the run-time, also it was not able to view as naked in the logs
If you click the Deploy Azure App Service logs and look closely at the end of it, you can find that our configuration values are getting updated.
Step 4 - Verification in Azure Portal
Let's verify that our actual values are getting updated in the azure portal.
And there is it , we deployed our App without worrying about the secrets.
Conclusion
Managing secrets will be a very important as well as difficult task for developers as well a DevOps.But using azure key vault and azure DevOps we can now seamlessly deploy our application without having worry about reveling the secrets.As mentioned in the topic all the secrets can be managed in Azure Pipelines in both build and release pipeline with the help of variable groups, which means you can also do this in build pipeline as well.
References
- Creating secrets in Azure Key Vault- https://blogs.msdn.microsoft.com/benjaminperkins/2018/06/13/create-an-azure-key-vault-and-secret/
- Creating azure release pipeline in Azure DevOps- /en-us/azure/devops/pipelines/get-started-designer?view=vsts&tabs=new-nav#create-a-release-pipeline
- Managing Secrets using app.secrets and azure key vaults- https://social.technet.microsoft.com/wiki/contents/articles/51871.net-core-2-managing-secrets-in-web-apps.aspx