Tech Talk Corner Sign up with your email address to be the first to know about new publications

Azure DevOps and Azure Key Vault

Whether you are starting to use Azure DevOps or you have been using it for a while, integrating DevOps with Azure Key Vault is a fundamental skill to have. Today I’ll show you a couple of ways to integrate Azure DevOps and Azure Key Vault. 

This blog post will explain how to use Azure Key Vault secrets in Azure DevOps. For the examples, I’ll use release pipelines. You can follow similar steps for using build pipelines. 

Why two methods? 

  1. If you are planning to use Azure Key Vault only for a specific Job within DevOps and this information is not valuable to be shared across multiple pipelines, use the built-in Azure Key Vault task to get secrets. 
  1. If you are planning on using Azure Key Vault secrets across multiple pipelines and jobs, I recommend having a look at the Variable Groups described in the last tutorial.  

Why should I use Azure Key Vault in Azure DevOps? 

To begin, Azure Key Vault allows you to securely store and maintain credentials. You don’t want to hardcode any sensitive information in your pipelines in Azure DevOps. 

I highly suggest checking it out, especially when working with Azure Data Services and doing CI/CD.  

Create Azure DevOps Service connection for Azure 

First, you need to grant Azure DevOps access to your Azure subscription. The following method allows you to do this without writing a single line of code. 

In Azure DevOps, navigate to Service Connections and create a new one. 

Create new service connection in Azure DevOps

Select “Azure Resource Manager.” 

Azure resource manager

Now, select Service Principal as the authentication method between Azure DevOps and Azure. This option creates a service principal for you. 

Service principal

Next, fill out the configuration of the connection as shown below. If you are concerned about security, you can define a most granular level (by selecting a specific resource group). 

Your new connection is ready and Azure DevOps has direct access to managing your Azure subscription. 

Give Azure DevOps access to Azure Key Vault 

Second, click on service connection and then Manage Service Principal. 

This takes you to the Azure Portal. Copy the Application (Client) ID. You will come back to Azure DevOps for the final integration, so stay in the Azure portal. 

Azure portal - copy application ID

In your Azure Key Vault, select Access Policies and Add Access Policy. 

To work with secrets, “Get” and “List” are the correct permissions. If you are going to work with Keys or Certificates, you need to customize them based on your needs. 

Secrets get and list

Click to add a Service Principal and paste the Application (Client) ID that you previously copied.  Find the service principal and click Select. 

Click Add. 

add access policy

Finally, click Save. Your Azure DevOps has access to work with information created in Azure Key Vault. 

For the next tutorials, you are going to be working with a few demo secrets. 

Azure DevOps and Key Vault with built-in task  

Back in Azure DevOps, it’s time to start using Azure Key Vault. For this example, I’ll use a release pipeline, but you can follow the same steps for a build pipeline and YAML.  

New release pipeline

Click Empty Job.  

Then, click jobs and tasks. 

At the Agent Job level, click to add a new task. 

Add a task to Agent job

There is a pre-built Azure Key Vault task that you can use.  

This task will get information from Azure Key Vault (in this case, secrets) so you can use them in the following steps. 

Note:  

The secrets extracted from Azure Key Vault will become variables in our pipeline. For example: rgName can be referenced as a variable by using $(rgName). 

Configure Azure Key Vault task: 

  1. Previously created service connection 
  1. Key Vault name 
  1. Secrets can be filtered by name (* will list and get all the secrets) 
Configure Azure Key Vault task

For testing purposes, add a new task and search for PowerShell. 

Change the configuration to Inline and add the following code before clicking Save. 

Write-Host "Resource Group name variable $(rgName)" 

Write-Host "Connection String variable $(azSqlConnectionString)" 

If you have created a Release Pipeline, click Create to trigger it. 

Let’s check the progress. Click the Release link. 

Scroll over your stage and click Logs. 

You can see that one of the steps is accessing Azure Key Vault, listing and getting the secrets. 

Click that step to see more information. 

You can also click the test PowerShell script to see the code. 

PowerShell script

By design (and this is a good thing), the values of the secrets are hidden with *. The variables are now available so you can use them in any steps. 

Azure DevOps and Key Vault with a group of variables  

As you saw before, if you have to create multiple pipelines and stages, this means that you need to include the Azure Key Vault task multiple times. To avoid this, Azure allows you to create a Variable Group and connect it to Azure Key Vault. 

First, click to add a new Variable Group in the library. 

Then, enable the option to connect Azure Key Vault and select your service connection and Azure Key Vault. Click Add variables. 

This option allows you to select variables (secrets) that will be relevant to your environment.  

Choose secrets

Save the Variable Group. 

Now, you will see that the variable group becomes available and it has a different icon. 

Create Release Pipeline 

Let’s finish the integration and try to use that Variable Group. Create a New Release pipeline.  

Create a new release pipeline

Click Empty Job. 

Click Variables.  

In Variables groups, you can Link an existing variable group. 

Link an existing variable group

Select the Variable Group. It’s possible to use different groups for different stages (context). For this demo, you will select Release as the context. 

You can see the variables available so they can be used in your pipeline. 

Click Jobs and Tasks to create a task to test them. 

Add a PowerShell task to the Agent Job. 

Include the following code inline to your PowerShell task and click Save. 

Write-Host "Resource Group name variable $(rgName)" 

Write-Host "Connection String variable $(azSqlConnectionString)" 

Create a release so you can test it. 

Create a release to test

Just like the previous tutorial, click the release link. 

Select logs. 

You will see an additional step to get Secrets from Azure Key Vault. 

Get secrets from Azure Key Vault

Click the step to see more information. 

Click the PowerShell step to see the output. 

As discussed previously, by design, you cannot see the values of the variables, but you can use them in any steps. 

Summary 

In this blog post, you learned two different ways to take advantage of Azure Key Vault in Azure DevOps. Both methods require 0 coding skills and they work at different context levels. 

What’s Next?  

In upcoming blog posts, we’ll continue to explore some of the features within Azure Services.       

Please follow Tech Talk Corner on Twitter for blog updates, virtual presentations, and more!     

As always, please leave any comments or questions below.  

Check out these other posts

comment [ 0 ]
share
No tags 0

No Comments Yet.

Do you want to leave a comment?

Your email address will not be published. Required fields are marked *