Use Azure Key Vault secrets in your Pipeline

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019

With Azure Key Vault, you can securely store and manage your sensitive information such as passwords, API keys, certificates, etc. using Azure Key Vault, you can easily create and manage encryption keys to encrypt your data. Azure Key Vault can also be used to manage certificates for all your resources.


Create an Azure Key Vault

  1. Navigate to Azure portal.

  2. Select Create a resource in the left navigation pane.

    Create a new resource from the left nav pane

  3. Search for Key Vault and then click Enter.

    Search for Azure Key Vault

  4. Select Create to create a new Azure Key Vault.

    Create a new Azure Key Vault

  5. Select your Subscription and then add a new Resource group. Enter a Key vault name and select a Region and a Pricing tier. Select Review + create when you are done.

    Create a new key vault window

  6. Select Go to resource when the deployment of your new resource is completed.

    Go to resource

Configure Key Vault access permissions

Before proceeding with the next steps, we must first create a service principal to be able to query our Azure Key Vault from Azure Pipelines. Follow the steps in the following how-to to Create a service principal and then continue with the next steps.

  1. Navigate to Azure portal.

  2. Select the key vault you created in the previous step.

  3. Select Access policies.

    configure access policies

  4. Select Add Access Policy to add a new policy.

  5. Add a Get and List to Secret permissions.

    Add get and list permissions

  6. Under Select principal, select to add a service principal and choose the one you created earlier.

  7. Select Save when you are done.

Query and use secrets in your pipeline

Using the Azure Key Vault task we can fetch the value of our secret and use it in subsequent tasks in our pipeline. One thing to keep in mind is that secrets must be explicitly mapped to env variable as shown in the example below.

  vmImage: 'ubuntu-latest'

- task: AzureKeyVault@1
    azureSubscription: 'repo-kv-demo'                    ## YOUR_SERVICE_CONNECTION_NAME
    KeyVaultName: 'kv-demo-repo'                         ## YOUR_KEY_VAULT_NAME
    SecretsFilter: 'secretDemo'                          ## YOUR_SECRET_NAME. Default value: *
    RunAsPreJob: false                                   ## Make the secret(s) available to the whole job

- task: DotNetCoreCLI@2
    command: 'build'
    projects: '**/*.csproj'

- task: DotNetCoreCLI@2
    command: 'run'
    projects: '**/*.csproj'
    mySecret: $(secretDemo)

- bash: |
    echo "Secret Found! $MY_MAPPED_ENV_VAR"        
    MY_MAPPED_ENV_VAR: $(mySecret)

The output from the last bash command should look like this:

Secret Found! ***


If you want to query for multiple secrets from your Azure Key Vault, use the SecretsFilter argument to pass a comma-separated list of secret names: 'secret1, secret2'.