Use Azure Key Vault secrets in your Pipeline

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

With Azure Key Vault, you can securely store and manage your sensitive information such as passwords, API keys, certificates, etc. using Azure Key Vault, you can easily create and manage encryption keys to encrypt your data. Azure Key Vault can also be used to manage certificates for all your resources. In this article, you'll learn how to:

• Create an Azure Key Vault.
• Configure your Key Vault permissions.
• Create a new service connection.
• Query for secrets from your Azure Pipeline.

Prerequisites

• An Azure DevOps organization. Create one for free if you don't already have one.
• Your own project. Create a project if you don't already have one.
• Your own repository. Create a new Git repo if you don't already have one.
• An Azure subscription. Create a free Azure account if you don't already have one.

Create an Azure Key Vault

Note

Azure Key Vaults that use Azure role-based access control (Azure RBAC) are not supported.

Azure portal

1. Navigate to Azure portal.

2. Select Create a resource in the left navigation pane.

   

3. Search for Key Vault and then press Enter.

   

4. Select Create to create a new Azure Key Vault.

   

5. Select your Subscription and then add a new Resource group. Enter a Key vault name and select a Region and a Pricing tier. Select Review + create when you're done.

   

6. Select Go to resource when the deployment of your new resource is completed.

   

Azure CLI

1. First we need to set our default region and Azure subscription.

   • Set default subscription:

   az account set --subscription <your_subscription_name_or_subscription_ID>
   

   • Set default region:

   az config set defaults.location=<your_region>
   

2. Create a new resource group to host your Azure Key Vault. A resource group is a container that holds related resources for an Azure solution.

   az group create --name <your-resource-group>
   

3. Create a new Azure Key Vault.

   az keyvault create \
     --name <your-key-vault-name> \
     --resource-group <your-resource-group>
   

Create a service principal

In this step, we will create a new service principal in Azure, enabling us to query our Azure Key Vault from Azure Pipelines.

1. Navigate to Azure portal.

2. From the menu bar, select the >_ icon to open the Cloud Shell.

3. Select PowerShell or leave it as Bash based on your preference.

4. Run the following command to create a new service principal:

   az ad sp create-for-rbac --name YOUR_SERVICE_PRINCIPAL_NAME
   

5. Your output should match the example below. Be sure to copy the output of your command, as you will need it to create the service connection in the upcoming step.

   {
     "appId": "p951q3e2-8e5r-z697-e9q52aviu8a2",
     "displayName": "MyServicePrincipal",
     "password": "***********************************",
     "tenant": "85wes2u6-63sh-95zx-2as3-qw58wex269df"
   }
   

Configure Key Vault access permissions

1. Navigate to Azure portal.

2. Select the key vault you created in the previous step.

3. Select Access policies.

   

4. Select Add Access Policy to add a new policy.

5. Add a Get and List to Secret permissions.

   

6. Under Select principal, select to add a service principal and choose the one you created earlier.

7. Select Save when you're done.

Create a new service connection

1. Sign in to your Azure DevOps organization, and then navigate to your project.

2. Select Project settings, and then select Service connections.

3. If you're setting up a service connection for the first time in your project, select Create service connection. If you've made service connections before, select New service connection.

4. Select Azure Resource Manager, and then select Next.

5. Select Service principal (manual), and then select Next.

6. Select Subscription for the Scope Level, and fill in the required fields with information from the previously created service principal. Select Verify when you're done:

   • Service Principal Id: Your service principal appId.
   • Service Principal key: Your service principal password.
   • Tenant ID: Your service principal tenant.

7. Provide a name for your service connection, and make sure you check the Grant access permission to all pipelines checkbox.

8. Select Verify and save when you're done.

   

Query and use secrets in your pipeline

Using the Azure Key Vault task we can fetch the value of our secret and use it in subsequent tasks in our pipeline. One thing to keep in mind is that secrets must be explicitly mapped to env variable as shown in the example below.

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'repo-kv-demo'                    ## YOUR_SERVICE_CONNECTION_NAME
    KeyVaultName: 'kv-demo-repo'                         ## YOUR_KEY_VAULT_NAME
    SecretsFilter: 'secretDemo'                          ## YOUR_SECRET_NAME. Default value: *
    RunAsPreJob: false                                   ## Make the secret(s) available to the whole job

- task: DotNetCoreCLI@2
  inputs:
    command: 'build'
    projects: '**/*.csproj'

- task: DotNetCoreCLI@2
  inputs:
    command: 'run'
    projects: '**/*.csproj'
  env:
    mySecret: $(secretDemo)

- bash: |
    echo "Secret Found! $MY_MAPPED_ENV_VAR"        
  env:
    MY_MAPPED_ENV_VAR: $(mySecret)

The output from the last bash command should look like this:

Secret Found! ***

Note

If you want to query for multiple secrets from your Azure Key Vault, use the SecretsFilter argument to pass a comma-separated list of secret names: 'secret1, secret2'.

Related articles

• Manage service connections
• Define variables
• Publish Pipeline Artifacts