Maintaining secrets in Azure Key Vault so that we can limit individual's access

Question

I’m trying to understand the best practices around maintaining secrets in key vaults:

• Question 1: Should we give infrastructure access to Azure Key Vault and have the team member access to maintain the secrets?
• Question 2: Second options is to have a script that would read the values from ADO variable group and then the script would add/update them into the key vault.

I was trying to implement the second option so that we can have all the secrets managed from a single place and this is what happens.

The plan was to have those variables that are supposed to be in KeyVault start with the static string KeyVault_ and then read those using the az pipeline variable group show -- group-id $GROUP_ID but as expected the value is empty for secrets values. How can I achieve a similar approach and update the key vault secrets from ADO secrets.

$variable_group.variables.GetEnumerator() | ForEach-Object { 
    if ($_.Key.StartsWith("KeyVault_")) {
        $SecretName = $_.Key -replace "KeyVault_", ""
        $SecretValue = $_.Value.value

        if ($SecretValue) {
            Write-Output "Creating secret for $SecretName."
            az keyvault secret set --vault-name $KeyVaultName --name $SecretName --value $SecretValue --output none
            Write-Output "Added secret '$SecretName' to Key Vault '$KeyVaultName'."
        } else {
            Write-Warning "No value found for variable '$($_.Key)'."
        }
    }
}

How can I get the value for $SecretValue assigned properly, I've tried ``` $($_.Key)` `` but with no luck!

Answer 1

Hi Aravind Dilip Kumar,

Thanks for reaching out to Microsoft Q&A.

Best Practices for Managing Secrets in azure KeyVault:

Question 1: Should we give infrastructure access to Azure Key Vault and have team members manage the secrets directly?

• It’s generally not recommended to give team members direct access to maintain secrets in azure KeyVault unless absolutely necessary. Instead, you can use RBAC to limit access to Key Vault and ensure that infrastructure components (such as applications) access secrets securely through managed identities. This limits human access, reducing the risk of accidental exposure or mismanagement of secrets.

Question 2: How to implement a script-based approach to manage Key Vault secrets from Azure DevOps (ADO)?

• The approach you mentioned can work well but there is a challenge when accessing secret values directly from the ADO pipeline variable groups. Afaik, azure DevOps hides secret values for security reasons.

Here’s how you can solve this issue and implement the second approach:

1. Use ADO Pipeline Variables and Key Vault Integration: Instead of trying to retrieve secrets directly from the variable groups, leverage the Azure DevOps Key Vault integration. With this, you can define secrets in the Key Vault, and then ADO pipelines can securely access those secrets without needing to store sensitive information in variable groups.
2. Use PowerShell and ADO Secret Variables: Since secret values are masked when using ADO variables, you'll need a different approach to read secrets securely from Key Vault and ensure they are updated.
3. Handle Secrets Securely: If ADO pipeline secrets are stored in a variable group, but you can't see them directly (due to security masking), you should instead integrate the Key Vault Secrets task in your pipeline. This task can securely pull secrets from Azure Key Vault and make them available to the pipeline.

Alternative: Using azure DevOps library for keyvault Integration:

• Azure DevOps supports KeyVault integration directly via the Library section. Instead of maintaining secrets in variable groups, you can connect the ADO Library to your Azure Key Vault. This ensures that all secrets are centrally managed in Key Vault, and only infrastructure (like the pipeline) has access.

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.