Use Azure Key Vault secrets in Azure Pipelines

Article
01/20/2023

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Azure Key Vault enables developers to securely store and manage secrets such as API keys, credentials or certificates. Azure Key Vault service supports two types of containers: vaults and managed HSM (hardware security module) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates, while managed HSM pools only support HSM-backed keys.

In this tutorial, you will learn how to:

Create an Azure Key Vault using Azure CLI
Add a secret and configure access to Azure key vault
Use secrets in your pipeline

Prerequisites

An Azure DevOps organization. If you don't have one, you can create one for free.
An Azure subscription. Create an Azure account for free if you don't have one already.

Create an Azure Key Vault

If you have more than one Azure subscription associated with your account, use the command below to specify a default subscription. You can use az account list to generate a list of your subscriptions.
```
az account set --subscription <your_subscription_name_or_ID>
```
Set your default Azure region. You can use az account list-locations to generate a list of available regions.
```
az config set defaults.location=<your_region>
```
For example, this command will select the westus2 region:
```
az config set defaults.location=westus2
```
Create a new resource group. A resource group is a container that holds related resources for an Azure solution.
```
az group create --name <your-resource-group>
```

Create a new key vault.

az keyvault create \
  --name <your-key-vault> \
  --resource-group <your-resource-group>

Create a new secret in your Azure key vault.

az keyvault secret set \
  --name "Password" \
  --value "mysecretpassword" \
  --vault-name <your-key-vault-name>

Create a project

Sign in to your Azure DevOps organization.
If you don't have any projects in your organization yet, select Create a project to get started. Otherwise, select New project in the upper-right corner.

Create a repo

We will use YAML to create our pipeline but first we need to create a new repo.

Sign in to your Azure DevOps organization and navigate to your project.
Select Repos, and then select Initialize to initialize a new repo with a README.

Select Pipelines, and then select New Pipeline.
Select Azure Repos Git (YAML).
Select the repository you created in the previous step.
Select the Starter pipeline template.
The default pipeline will include a few scripts that run echo commands. Those are not needed so we can delete them. Your new YAML file should look like this:
```
trigger:
- main

pool:
    vmImage: 'ubuntu-latest'

steps:
```
Select Show assistant to expand the assistant panel. This panel provides convenient and searchable list of pipeline tasks.
Search for vault and select the Azure Key Vault task.
Select your Azure subscription and then select Authorize. Select your Key vault from the dropdown menu, and then select Add to add the task to your YAML pipeline.

Note

The Make secrets available to whole job feature is not supported in Azure DevOps Server 2019 and 2020.

Your YAML file should look like the following:

trigger:
- main

pool:
  vmImage: ubuntu-latest

steps:
- task: AzureKeyVault@2
  inputs:
    azureSubscription: 'Your-Azure-Subscription'
    KeyVaultName: 'Your-Key-Vault-Name'
    SecretsFilter: '*'
    RunAsPreJob: false

- task: CmdLine@2
  inputs:
    script: 'echo $(Your-Secret-Name) > secret.txt'

- task: CopyFiles@2
  inputs:
    Contents: secret.txt
    targetFolder: '$(Build.ArtifactStagingDirectory)'

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'drop'
    publishLocation: 'Container'

Select Pipelines, and then select New Pipeline.
Select Use the classic editor to create a pipeline without YAML.
Select Azure Repos Git, and then select your repository and default branch. Select Continue when you are done.
Select the .Net Desktop pipeline template.
For this example, we will only need the last two tasks from the template. Press CTRL and then select the first five tasks, right-click and choose Remove selected tasks(s) to delete them.
Select + to add a new task. Add the Command line task and configure it as follows:

Display name: Command Line Script. Script: echo $(Your-Secret-Name) > secret.txt
Select + to add a new task. Add the Azure Key Vault task and configure it as follows:

Display Name: Azure Key Vault Azure subscription: Select your Azure subscription from the list, and then select Authorize. Key vault: Select your key vault Secret filter: A comma separated list of secret names or leave * to download all secrets from the selected key vault.
Select the Copy files task and fill out the required fields.
Select the Publish Artifacts and keep the default settings.

Don't save or queue your pipeline just yet. We must first give our pipeline the right permissions to access Azure Key Vault. Keep your browser tab open, we will resume the remaining steps once we set up the key vault permissions.

Set up Azure Key Vault access policies

In order to access our Azure Key Vault, we must first set up a service principal to give access to Azure Pipelines. Follow this guide to create your service principal and then proceed with the next steps in this section.

Navigate to Azure portal.
Use the search bar to search for the key vault you created earlier.
Under Settings Select Access policies.
Select Add Access Policy to add a new policy.
For Secret permissions, select Get and List.
Select the option to select a service principal and search for the one you created in the beginning of this section. A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources.
Select Add to create the access policy, then select Save when you are done.

Note

Azure Key Vaults that use Azure role-based access control (Azure RBAC) are not supported.

Run and review the pipeline

Return to the previous tab where we left off.
Select Save, and then select Save again to commit your changes and trigger the pipeline. You may be asked to allow the pipeline access to Azure resources, if prompted select Allow. You will only have to approve your pipeline once.
Select the CmdLine task to view the logs.
Return to pipeline summary and select the published artifact.
Select the secret.txt artifact to open it.
The text file should contain our secret: mysecretpassword.

Warning

This tutorial is for educational purposes only. For security best practices and how to safely work with secrets, see Manage secrets in your server apps with Azure Key Vault.

Clean up resources

Follow the steps below to delete the resources you created:

If you created a new organization to host your project, see how to delete your organization, otherwise delete your project.
All Azure resources created during this tutorial are hosted under a single resource group PipelinesKeyVaultResourceGroup. Run the following command to delete the resource group and all of its resources.
```
az group delete --name PipelinesKeyVaultResourceGroup
```

FAQ

Q: I'm getting the following error: "the user or group does not have secrets list permission" what should I do?

A: If you encounter an error indicating that the user or group does not have secrets list permission on key vault, run the following commands to authorize your application to access the key or secret in the Azure Key Vault:

$ErrorActionPreference="Stop";
$Credential = Get-Credential;
Connect-AzAccount -SubscriptionId <YOUR_SUBSCRIPTION_ID> -Credential $Credential;
$spn=(Get-AzureRmADServicePrincipal -SPN <YOUR_SERVICE_PRINCIPAL_ID>);
$spnObjectId=$spn.Id;
Set-AzureRmKeyVaultAccessPolicy -VaultName key-vault-tutorial -ObjectId $spnObjectId -PermissionsToSecrets get,list;

Next steps

Artifacts in Azure Pipelines Publish and download artifacts in Azure Pipelines Release artifacts and artifact sources