Use Azure Key Vault for Secrets in Azure DevOps Pipelines

Use Azure Key Vault for Secrets in Azure DevOps Pipelines

This blog shows how Azure Key Vault can be used in an Azure DevOps Pipeline build. By using Azure Key Vault to handle all your secrets or certificates, no secrets need to be saved to code, files, or other storage for the initial secrets required in a solution.

Setup the Build Key Vault

An Azure Key Vault was added to an Azure subscription and secrets were created which are required for the builds. In this example a secret was created called MySecret. This will be used in the Azure DevOps pipeline build.

Add the Build Pipeline permissions to the Key Vault

Before this will work, the build needs permission to access the Azure Key Vault. This can be added in the Azure Portal.

Open the Access Policies in the Key Vault and add a new one. Choose the principle used in the DevOps build.

Use the Key Vault in an Azure CLI Powershell script

The Key vault can now be used in the Pipeline. An Azure CLI task which uses a powershell core script can be setup, which will use the Key Vault values.

- task: AzureCLI@2
  displayName: "Create resource group"
	azureSubscription: 'Visual Studio Enterprise(ddd...)'
	scriptType: 'pscore'
	scriptLocation: 'scriptPath'
	scriptPath: 'createKeyVaultExistingRG.ps1'

The powershell file accesses the Azure Key Vault using the Azure CLI with az keyvault secret show. This returns a json string which needs to be parsed for the value. It can then be used like any powershell variable.

$myKeyVaultSecret =  az keyvault secret show --name "MySecret" --vault-name "damienbod"
$secretValue = ($myKeyVaultSecret | ConvertFrom-Json).value

# Write-Host $myKeyVaultSecret
Write-Host "Value: $secretValue"

az group create -l westeurope -n "devops-rg"

The Key Vault is displayed in the build Pipeline, like defined in the script. (Of course you would not normally print the secret in the console…)

By using Key Vault and powershell scripts in this way, you can run you pipeline builds locally and also in the Azure DevOps Pipelines. When using this locally, all you need to do is login with az login and make sure the identity used in the login has access rights to the Key Vault. Next steps would be to prepare the infrastructure for dev, test and production builds, configurations.


Leave a Reply

Your email address will not be published. Required fields are marked *