This blog shows how Azure Key Vault can be used in an Azure DevOps Pipeline build. By using Azure Key Vault to handle all your secrets or certificates, no secrets need to be saved to code, files, or other storage for the initial secrets required in a solution.
Setup the Build Key Vault
An Azure Key Vault was added to an Azure subscription and secrets were created which are required for the builds. In this example a secret was created called MySecret. This will be used in the Azure DevOps pipeline build.
Create the Pipeline to use the Key Vault
You can use the AzureKeyVault Pipeline task to connect and use the Azure Key Vault for your build pipelines. This can be added directly to the yml file, if you now the subscription and the Key Vault name.
- task: AzureKeyVault@1 inputs: azureSubscription: 'Visual Studio Enterprise(ddd...)' KeyVaultName: 'damienbod' SecretsFilter: '*'
Azure DevOps also provides a UI to help you create the Pipeline task.
Add the Build Pipeline permissions to the Key Vault
Before this will work, the build needs permission to access the Azure Key Vault. This can be added in the Azure Portal.
Open the Access Policies in the Key Vault and add a new one. Choose the principle used in the DevOps build.
Use the Key Vault in an Azure CLI Powershell script
The Key vault can now be used in the Pipeline. An Azure CLI task which uses a powershell core script can be setup, which will use the Key Vault values.
- task: AzureCLI@2 displayName: "Create resource group" inputs: azureSubscription: 'Visual Studio Enterprise(ddd...)' scriptType: 'pscore' scriptLocation: 'scriptPath' scriptPath: 'createKeyVaultExistingRG.ps1'
The powershell file accesses the Azure Key Vault using the Azure CLI with az keyvault secret show. This returns a json string which needs to be parsed for the value. It can then be used like any powershell variable.
$myKeyVaultSecret = az keyvault secret show --name "MySecret" --vault-name "damienbod" $secretValue = ($myKeyVaultSecret | ConvertFrom-Json).value # Write-Host $myKeyVaultSecret Write-Host "Value: $secretValue" az group create -l westeurope -n "devops-rg"
The Key Vault is displayed in the build Pipeline, like defined in the script. (Of course you would not normally print the secret in the console…)
By using Key Vault and powershell scripts in this way, you can run you pipeline builds locally and also in the Azure DevOps Pipelines. When using this locally, all you need to do is login with az login and make sure the identity used in the login has access rights to the Key Vault. Next steps would be to prepare the infrastructure for dev, test and production builds, configurations.
Links:
https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli
https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/package/nuget?view=azure-devops
https://docs.microsoft.com/en-us/azure/devops/pipelines/ecosystems/dotnet-core?view=azure-devops
https://zimmergren.net/using-azure-key-vault-secrets-from-azure-devops-pipeline/