Use Azure Key Vault secrets in Azure Pipelines
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Azure Key Vault enables developers to securely store and manage secrets such as API keys, credentials or certificates. Azure Key Vault service supports two types of containers: vaults and managed HSM (hardware security module) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates, while managed HSM pools only support HSM-backed keys.
In this tutorial, you will learn how to:
- Create an Azure Key Vault using Azure CLI
- Add a secret and configure access to Azure key vault
- Use secrets in your pipeline
- An Azure DevOps organization. If you don't have one, you can create one for free.
- An Azure subscription. Create an Azure account for free if you don't have one already.
Create an Azure Key Vault
If you have more than one Azure subscription associated with your account, use the command below to specify a default subscription. You can use
az account listto generate a list of your subscriptions.
az account set --subscription <your_subscription_name_or_ID>
Set your default Azure region. You can use
az account list-locationsto generate a list of available regions.
az config set defaults.location=<your_region>
For example, this command will select the westus2 region:
az config set defaults.location=westus2
Create a new resource group. A resource group is a container that holds related resources for an Azure solution.
az group create --name <your-resource-group>
Create a new key vault.
az keyvault create \ --name <your-key-vault> \ --resource-group <your-resource-group>
Create a new secret in your Azure key vault.
az keyvault secret set \ --name "Password" \ --value "mysecretpassword" \ --vault-name <your-key-vault-name>
Create a project
Sign in to your Azure DevOps organization.
If you don't have any projects in your organization yet, select Create a project to get started. Otherwise, select New project in the upper-right corner.
Create a repo
We will use YAML to create our pipeline but first we need to create a new repo.
Sign in to your Azure DevOps organization and navigate to your project.
Select Repos, and then select Initialize to initialize a new repo with a README.
Create a new pipeline
Select Pipelines, and then select New Pipeline.
Select Azure Repos Git (YAML).
Select the repository you created in the previous step.
Select the Starter pipeline template.
The default pipeline will include a few scripts that run echo commands. Those are not needed so we can delete them. Your new YAML file should look like this:
trigger: - main pool: vmImage: 'ubuntu-latest' steps:
Select Show assistant to expand the assistant panel. This panel provides convenient and searchable list of pipeline tasks.
Search for vault and select the Azure Key Vault task.
Select your Azure subscription and then select Authorize. Select your Key vault from the dropdown menu, and then select Add to add the task to your YAML pipeline.
The Make secrets available to whole job feature is not supported in Azure DevOps Server 2019 and 2020.
Your YAML file should look like the following:
trigger: - main pool: vmImage: ubuntu-latest steps: - task: AzureKeyVault@2 inputs: azureSubscription: 'Your-Azure-Subscription' KeyVaultName: 'Your-Key-Vault-Name' SecretsFilter: '*' RunAsPreJob: false - task: CmdLine@2 inputs: script: 'echo $(Your-Secret-Name) > secret.txt' - task: CopyFiles@2 inputs: Contents: secret.txt targetFolder: '$(Build.ArtifactStagingDirectory)' - task: PublishBuildArtifacts@1 inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)' ArtifactName: 'drop' publishLocation: 'Container'
Don't save or queue your pipeline just yet. We must first give our pipeline the right permissions to access Azure Key Vault. Keep your browser tab open, we will resume the remaining steps once we set up the key vault permissions.
Set up Azure Key Vault access policies
In order to access our Azure Key Vault, we must first set up a service principal to give access to Azure Pipelines. Follow this guide to create your service principal and then proceed with the next steps in this section.
Navigate to Azure portal.
Use the search bar to search for the key vault you created earlier.
Under Settings Select Access policies.
Select Add Access Policy to add a new policy.
For Secret permissions, select Get and List.
Select the option to select a service principal and search for the one you created in the beginning of this section. A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources.
Select Add to create the access policy, then select Save when you are done.
Azure Key Vaults that use Azure role-based access control (Azure RBAC) are not supported.
Run and review the pipeline
Return to the previous tab where we left off.
Select Save, and then select Save again to commit your changes and trigger the pipeline. You may be asked to allow the pipeline access to Azure resources, if prompted select Allow. You will only have to approve your pipeline once.
Select the CmdLine task to view the logs.
Return to pipeline summary and select the published artifact.
Select the secret.txt artifact to open it.
The text file should contain our secret: mysecretpassword.
This tutorial is for educational purposes only. For security best practices and how to safely work with secrets, see Manage secrets in your server apps with Azure Key Vault.
Clean up resources
Follow the steps below to delete the resources you created:
All Azure resources created during this tutorial are hosted under a single resource group PipelinesKeyVaultResourceGroup. Run the following command to delete the resource group and all of its resources.
az group delete --name PipelinesKeyVaultResourceGroup
Q: I'm getting the following error: "the user or group does not have secrets list permission" what should I do?
A: If you encounter an error indicating that the user or group does not have secrets list permission on key vault, run the following commands to authorize your application to access the key or secret in the Azure Key Vault:
$ErrorActionPreference="Stop"; $Credential = Get-Credential; Connect-AzAccount -SubscriptionId <YOUR_SUBSCRIPTION_ID> -Credential $Credential; $spn=(Get-AzureRmADServicePrincipal -SPN <YOUR_SERVICE_PRINCIPAL_ID>); $spnObjectId=$spn.Id; Set-AzureRmKeyVaultAccessPolicy -VaultName key-vault-tutorial -ObjectId $spnObjectId -PermissionsToSecrets get,list;