Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
How to use secrets from Keyvault in Azure Batch without them being exposed in the portal?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 94%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Rajput, Sai Srivastav
6
Reputation points
I am trying to execute an Azure batch that accepts environment variables. Currently, I am able to execute the task by reading the keys from secrets and passing them to the task, the drawback here is that the keys are exposed in the Azure portal.
Is there a way where I can still have that value as a secret on the Portal? That is, can I pass the secrets directly to the task and the Task would fetch it from KeyVault.
An example here would be the AWS Batch, We can explicitly pass the secrets and the AWS batch would automatically fetch it from the Parameter Store.
Azure Key Vault
Azure Batch
Azure Batch
An Azure service that provides cloud-scale job scheduling and compute management.
{count} votes
-
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator2021-10-18T21:28:22.107+00:00 @Rajput, Sai Srivastav
Thank you for your post!- When it comes to using Azure Batch with the Azure Key Vault, are you able to share any documentation so I can gain a better understanding of your issue?
- When executing the tasks by reading the keys from the secret, how're you getting the keys/secrets?
- Can you share any screenshots or more details on what you mean by - the keys are exposed in the Azure Portal.
- What tasks are you specifically trying to run?
Any additional details, screenshots, or documentation regarding what you're trying to do would be greatly appreciated!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
Rajput, Sai Srivastav 6 Reputation points
2021-10-19T11:06:01.96+00:00 Hey James,
1) I don't have a document for what I am trying to do, that was the reason I am looking for answer in the community.
2) I am using the following method to fetch the secret from the KeyVault
retrieve-a-secretBlockquote
env_settings = [
batchmodels.EnvironmentSetting(name ="test_secret", value=client.get_secret("FB-SAS-token")),
]I am passing the secret by reading it first and then passing it as an env variable.
3) Uploaded the screenshot in the Question. Basically the sensitive secrets are visible under the
Environmen Settingssection on the Tasks screen in Azure portal.4) I've a python script as a part of ACR in a docker image. This script accepts variables such as Database password and other sensitive secrets in the form of environment variables.
-
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator
2021-10-20T22:17:01.85+00:00 @Rajput, Sai Srivastav
Thank you for the quick follow up on this!Based off your screenshot, I don't believe there's any way to hide the secret in the Environment Settings within the Azure Portal. However, since this looks more related to Azure Batch than the Azure Key Vault, I've reached out to our Azure Batch team, so they can take a look into this issue as well.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sign in to comment
Sign in to answer