Use Azure Key Vault secrets in your Pipeline

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019

With Azure Key Vault, you can securely store and manage your sensitive information such as passwords, API keys, certificates, etc. using Azure Key Vault, you can easily create and manage encryption keys to encrypt your data. Azure Key Vault can also be used to manage certificates for all your resources.

Prerequisites

• An Azure DevOps organization. Create one for free if you don't already have one.
• Your own project. Create a project if you don't already have one.
• Your own repository. Create a new Git repo if you don't already have one.
• An Azure subscription. Create a free Azure account if you don't already have one.

Create an Azure Key Vault

Azure portal

1. Navigate to Azure portal.

2. Select Create a resource in the left navigation pane.

   

3. Search for Key Vault and then click Enter.

   

4. Select Create to create a new Azure Key Vault.

   

5. Select your Subscription and then add a new Resource group. Enter a Key vault name and select a Region and a Pricing tier. Select Review + create when you are done.

   

6. Select Go to resource when the deployment of your new resource is completed.

   

Azure CLI

1. First we need to set our default region and Azure subscription.

   • Set default subscription:

   az account set --subscription <your_subscription_name_or_subscription_ID>
   

   • Set default region:

   az config set defaults.location=<your_region>
   

2. Create a new resource group to host your Azure Key Vault. A resource group is a container that holds related resources for an Azure solution.

   az group create --name <your-resource-group>
   

3. Create a new Azure Key Vault.

   az keyvault create \
     --name <your-key-vault-name> \
     --resource-group <your-resource-group>
   

Configure Key Vault access permissions

Before proceeding with the next steps, we must first create a service principal to be able to query our Azure Key Vault from Azure Pipelines. Follow the steps in the following how-to to Create a service principal and then continue with the next steps.

1. Navigate to Azure portal.

2. Select the key vault you created in the previous step.

3. Select Access policies.

   

4. Select Add Access Policy to add a new policy.

5. Add a Get and List to Secret permissions.

   

6. Under Select principal, select to add a service principal and choose the one you created earlier.

7. Select Save when you are done.

Query and use secrets in your pipeline

Using the Azure Key Vault task we can fetch the value of our secret and use it in subsequent tasks in our pipeline. One thing to keep in mind is that secrets must be explicitly mapped to env variable as shown in the example below.

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'repo-kv-demo'                    ## YOUR_SERVICE_CONNECTION_NAME
    KeyVaultName: 'kv-demo-repo'                         ## YOUR_KEY_VAULT_NAME
    SecretsFilter: 'secretDemo'                          ## YOUR_SECRET_NAME. Default value: *
    RunAsPreJob: false                                   ## Make the secret(s) available to the whole job

- task: DotNetCoreCLI@2
  inputs:
    command: 'build'
    projects: '**/*.csproj'

- task: DotNetCoreCLI@2
  inputs:
    command: 'run'
    projects: '**/*.csproj'
  env:
    mySecret: $(secretDemo)

- bash: |
    echo "Secret Found! $MY_MAPPED_ENV_VAR"        
  env:
    MY_MAPPED_ENV_VAR: $(mySecret)

The output from the last bash command should look like this:

Secret Found! ***

Note

If you want to query for multiple secrets from your Azure Key Vault, use the SecretsFilter argument to pass a comma-separated list of secret names: 'secret1, secret2'.

Related articles

• Manage service connections
• Define variables
• Publish Pipeline Artifacts