Use Azure Key Vault secrets in your Pipeline

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

With Azure Key Vault, you can securely store and manage your sensitive information such as passwords, API keys, certificates, etc. using Azure Key Vault, you can easily create and manage encryption keys to encrypt your data. Azure Key Vault can also be used to manage certificates for all your resources. In this article, you'll learn how to:

  • Create an Azure Key Vault.
  • Configure your Key Vault permissions.
  • Create a new service connection.
  • Query for secrets from your Azure Pipeline.

Prerequisites

Create an Azure Key Vault

  1. Navigate to Azure portal.

  2. Select Create a resource in the left navigation pane.

    A screenshot showing how to create a new resource in Azure portal.

  3. Search for Key Vault and then press Enter.

    A screenshot showing how to search for Azure Key Vault in Azure portal.

  4. Select Create to create a new Azure Key Vault.

    A screenshot showing how to create a new Azure Key Vault in Azure portal.

  5. Select your Subscription and then add a new Resource group. Enter a Key vault name and select a Region and a Pricing tier. Select Review + create when you're done.

    A screenshot showing the steps to create a new key vault in Azure portal.

  6. Select Go to resource when the deployment of your new resource is completed.

    A screenshot showing how to navigate to your resource in Azure portal.

Create a service principal

In this step, we will create a new service principal in Azure, enabling us to query our Azure Key Vault from Azure Pipelines.

  1. Navigate to Azure portal.

  2. From the menu bar, select the >_ icon to open the Cloud Shell.

  3. Select PowerShell or leave it as Bash based on your preference.

  4. Run the following command to create a new service principal:

    az ad sp create-for-rbac --name YOUR_SERVICE_PRINCIPAL_NAME
    
  5. Your output should match the example below. Be sure to copy the output of your command, as you will need it to create the service connection in the upcoming step.

    {
      "appId": "p951q3e2-8e5r-z697-e9q52aviu8a2",
      "displayName": "MyServicePrincipal",
      "password": "***********************************",
      "tenant": "85wes2u6-63sh-95zx-2as3-qw58wex269df"
    }
    

Configure Key Vault access permissions

  1. Navigate to Azure portal.

  2. Select the key vault you created in the previous step.

  3. Select Access policies.

    A screenshot showing how to navigate to your key vault access policies in Azure portal.

  4. Select Add Access Policy to add a new policy.

  5. Add a Get and List to Secret permissions.

    A screenshot showing how to add get and list permissions to your key vault in Azure portal.

  6. Under Select principal, select to add a service principal and choose the one you created earlier.

  7. Select Save when you're done.

Note

Azure Key Vaults that use Azure role-based access control (Azure RBAC) are not supported.

Create a new service connection

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select gear icon Project settings, and then select Service connections.

  3. If you're setting up a service connection for the first time in your project, select Create service connection. If you've made service connections before, select New service connection.

  4. Select Azure Resource Manager, and then select Next.

  5. Select Service principal (manual), and then select Next.

  6. Select Subscription for the Scope Level, and fill in the required fields with information from the previously created service principal. Select Verify when you're done:

    • Service Principal Id: Your service principal appId.
    • Service Principal key: Your service principal password.
    • Tenant ID: Your service principal tenant.
  7. Provide a name for your service connection, and make sure you check the Grant access permission to all pipelines checkbox.

  8. Select Verify and save when you're done.

    A screenshot showing how to create a new manual service principal service connection.

Query and use secrets in your pipeline

Using the Azure Key Vault task we can fetch the value of our secret and use it in subsequent tasks in our pipeline. One thing to keep in mind is that secrets must be explicitly mapped to env variable as shown in the example below.

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'repo-kv-demo'                    ## YOUR_SERVICE_CONNECTION_NAME
    KeyVaultName: 'kv-demo-repo'                         ## YOUR_KEY_VAULT_NAME
    SecretsFilter: 'secretDemo'                          ## YOUR_SECRET_NAME. Default value: *
    RunAsPreJob: false                                   ## Make the secret(s) available to the whole job

- task: DotNetCoreCLI@2
  inputs:
    command: 'build'
    projects: '**/*.csproj'

- task: DotNetCoreCLI@2
  inputs:
    command: 'run'
    projects: '**/*.csproj'
  env:
    mySecret: $(secretDemo)

- bash: |
    echo "Secret Found! $MY_MAPPED_ENV_VAR"        
  env:
    MY_MAPPED_ENV_VAR: $(mySecret)

The output from the last bash command should look like this:

Secret Found! ***

Note

If you want to query for multiple secrets from your Azure Key Vault, use the SecretsFilter argument to pass a comma-separated list of secret names: 'secret1, secret2'.