You know as a best practice, DevOps guys need to ensure all the secrets need to be kept inside the Keyvalut instead of using directly from the Azure DevOps Variable group. So, in this article, we are going to see how we can do Variable substitute from KeyVault in YAML Azure DevOps pipelines (ie., Using secrets from Azure Key Vault in a pipeline)
Config File
Below is the sample config file which we are going to use for substituting variables from Key Vault in YAML Azure DevOps pipelines
Step 1: Fetch the Key from Key vault:
The variable substitution can be done with 2 tasks in Azure DevOps, let’s start. The task can be used to fetch the latest values of all or a subset of secrets from the vault and set them as variables that can be used in subsequent tasks of a pipeline. The task is Node-based and works with agents on Linux, macOS, and Windows. First, we need to create the task for Connecting and fetching the secrets from the Azure Keyvalut. As we mentioned RunAsPreJob: false so the value will only scope up to the next following task alone.
|
1 2 3 4 5 6 |
- task: AzureKeyVault@2 inputs: azureSubscription: 2a28a5af-3671-48fd-5ce1-4c144540aae2 KeyVaultName: kv-dgtl-dev SecretsFilter: 'smtp-host,smtp-username,smtp-password' RunAsPreJob: false |
Point to remember for Variable substitute from KeyVault:
- RunAsPreJob – Make secrets available to the whole job, Default value is false
- Keyvalut task needs to run before the job execution begins. Exposes secrets to all tasks in the job, not just tasks that follow this one.
- Ensure the Agent machine has the required permissions to access the Azure key vault
- if you want to fetch the all secrets during this task then you can specify ‘*’ instead of secrets name in the SecretsFilter.
Step 2: Apply the secrets to config files:
Second, we can have the replace token task to have the target files which need to replace the variables. once this is executed, the value fetched from the key vault will apply to the matched variable
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
- task: replacetokens@5 inputs: rootDirectory: 'src/Feature/Forms/code/App_Config/Include/Feature/' targetFiles: 'dotnethelpers.Feature.Forms.SMTP.config,SMTP_external.config' encoding: 'auto' tokenPattern: 'default' writeBOM: true actionOnMissing: 'warn' keepToken: false actionOnNoFiles: 'continue' enableTransforms: false enableRecursion: false useLegacyPattern: false enableTelemetry: true |
Point to remember:
- The token pattern is set to default (so I used #{YOUR_VARIABLE}#, it may define based on your requirement.
- The name of the Keyvalut secrets needs to match with the config variable which needs to substitute. For example, in the config, we have variables like smtp-host, smtp-username, and smtp-password so the Azure key vault secrets name need to match with same.