Use Azure Key Vault for Secrets in Azure DevOps Pipelines

This blog shows how Azure Key Vault can be used in an Azure DevOps Pipeline build. By using Azure Key Vault to handle all your secrets or certificates, no secrets need to be saved to code, files, or other storage for the initial secrets required in a solution.

Setup the Build Key Vault

An Azure Key Vault was added to an Azure subscription and secrets were created which are required for the builds. In this example a secret was created called MySecret. This will be used in the Azure DevOps pipeline build.

Add the Build Pipeline permissions to the Key Vault

Before this will work, the build needs permission to access the Azure Key Vault. This can be added in the Azure Portal.

Open the Access Policies in the Key Vault and add a new one. Choose the principle used in the DevOps build.

Use the Key Vault in an Azure CLI Powershell script

The Key vault can now be used in the Pipeline. An Azure CLI task which uses a powershell core script can be setup, which will use the Key Vault values.

- task: AzureCLI@2
  displayName: "Create resource group"
  inputs:
	azureSubscription: 'Visual Studio Enterprise(ddd...)'
	scriptType: 'pscore'
	scriptLocation: 'scriptPath'
	scriptPath: 'createKeyVaultExistingRG.ps1'

The powershell file accesses the Azure Key Vault using the Azure CLI with az keyvault secret show. This returns a json string which needs to be parsed for the value. It can then be used like any powershell variable.

$myKeyVaultSecret =  az keyvault secret show --name "MySecret" --vault-name "damienbod"
$secretValue = ($myKeyVaultSecret | ConvertFrom-Json).value

# Write-Host $myKeyVaultSecret
Write-Host "Value: $secretValue"

az group create -l westeurope -n "devops-rg"

The Key Vault is displayed in the build Pipeline, like defined in the script. (Of course you would not normally print the secret in the console…)

By using Key Vault and powershell scripts in this way, you can run you pipeline builds locally and also in the Azure DevOps Pipelines. When using this locally, all you need to do is login with az login and make sure the identity used in the login has access rights to the Key Vault. Next steps would be to prepare the infrastructure for dev, test and production builds, configurations.

Links:

https://dev.azure.com/

https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops

https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-show

https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli

https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/package/nuget?view=azure-devops

https://docs.microsoft.com/en-us/azure/devops/pipelines/ecosystems/dotnet-core?view=azure-devops

https://zimmergren.net/using-azure-key-vault-secrets-from-azure-devops-pipeline/

4 comments

  1. […] Use Azure Key Vault for Secrets in Azure DevOps Pipelines (Damien Bowden) […]

  2. […] Use Azure Key Vault for Secrets in Azure DevOps Pipelines – Damien Bowden […]

  3. Mohd Aslam · · Reply

    Why to do this way where we have direct integration of KV with pipeline?

    1. Hi Mohd

      You can run locally then without Azure Devops for test and developmemt

      Greetings Damien

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: