Use Azure Key Vault secrets in your Pipeline
Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019
With Azure Key Vault, you can securely store and manage your sensitive information such as passwords, API keys, certificates, etc. using Azure Key Vault, you can easily create and manage encryption keys to encrypt your data. Azure Key Vault can also be used to manage certificates for all your resources.
- An Azure DevOps organization. Create one for free if you don't already have one.
- Your own project. Create a project if you don't already have one.
- Your own repository. Create a new Git repo if you don't already have one.
- An Azure subscription. Create a free Azure account if you don't already have one.
Create an Azure Key Vault
Navigate to Azure portal.
Select Create a resource in the left navigation pane.
Search for Key Vault and then click Enter.
Select Create to create a new Azure Key Vault.
Select your Subscription and then add a new Resource group. Enter a Key vault name and select a Region and a Pricing tier. Select Review + create when you are done.
Select Go to resource when the deployment of your new resource is completed.
Configure Key Vault access permissions
Before proceeding with the next steps, we must first create a service principal to be able to query our Azure Key Vault from Azure Pipelines. Follow the steps in the following how-to to Create a service principal and then continue with the next steps.
Navigate to Azure portal.
Select the key vault you created in the previous step.
Select Access policies.
Select Add Access Policy to add a new policy.
Add a Get and List to Secret permissions.
Under Select principal, select to add a service principal and choose the one you created earlier.
Select Save when you are done.
Query and use secrets in your pipeline
Using the Azure Key Vault task we can fetch the value of our secret and use it in subsequent tasks in our pipeline. One thing to keep in mind is that secrets must be explicitly mapped to env variable as shown in the example below.
pool: vmImage: 'ubuntu-latest' steps: - task: AzureKeyVault@1 inputs: azureSubscription: 'repo-kv-demo' ## YOUR_SERVICE_CONNECTION_NAME KeyVaultName: 'kv-demo-repo' ## YOUR_KEY_VAULT_NAME SecretsFilter: 'secretDemo' ## YOUR_SECRET_NAME. Default value: * RunAsPreJob: false ## Make the secret(s) available to the whole job - task: DotNetCoreCLI@2 inputs: command: 'build' projects: '**/*.csproj' - task: DotNetCoreCLI@2 inputs: command: 'run' projects: '**/*.csproj' env: mySecret: $(secretDemo) - bash: | echo "Secret Found! $MY_MAPPED_ENV_VAR" env: MY_MAPPED_ENV_VAR: $(mySecret)
The output from the last bash command should look like this:
Secret Found! ***
If you want to query for multiple secrets from your Azure Key Vault, use the
SecretsFilter argument to pass a comma-separated list of secret names: 'secret1, secret2'.
Submit and view feedback for