Getting secrets from Key Vault in YAML pipeline

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Keeping your connection strings and secrets secure is not necessarily only a concern of just one type of industry.  The best practice would be to keep security at the top of your mind regardless of if you are working on an app for a company in the Healthcare space or Finance, Retail, etc….Azure Key Vault can help in doing just that.

 

If you have ever created an Azure App Service or Azure Function App that uses app settings, then you have dealt with the problem of how you are going to get those settings secure and updated correctly in each environment.  You need a secure location to store this information and then be able to access it during your deployment process.  Azure Key Vault and using the Azure Key Vault task inside a deployment pipeline in Azure DevOps can solve this problem for you. 

 

What’s the problem?

You want your code ‘bits’ to not have to worry about the configuration items that might change from environment to environment, so being a good developer, you have created variables to protect you from these changing values.  Now how do you automate your deployment to consider these changing values?  I’d like to suggest using the Azure Key Vault task yaml snippet as part of your yaml pipeline in Azure DevOps and here’s how you can use it.

 

The Setup

We have the following resources that we are using to demonstrate this setup.

  • Azure Function (python, but can be any language)
  • Key Vault
  • YAML pipeline

This GitHub repo is what we are going to be using as our example: 

 

If you look at the README.md it will give you a good feel for what the repo is doing, but we are going to zoom in to the Key Vault integration.

 

Azure Function App

You will need to make sure you have a function app created that you can use.  There isn’t any special setup you need to do here other than to take note of the app settings that you want to set in your pipeline.

 

Key Vault

Again, you will need to make sure you have a key vault created in Azure to use and it will need to have at least one secret that you want to set as the app setting.  You will also need to make sure that the service connection has Get and List permission in the Key Vaults Access policies.

Andrew_Redman_0-1660940381688.png

 

 

This is a good place to point out that an Azure Key Vault currently has 2 permission models: Vault access policy and Azure role-based access control (RBAC).  The model used in this blog post and video is the Vault access policy, but it could also be accomplished with the RBAC approach.  If you are interested in following the RBAC approach, please refer to this document.

 

Azure-pipelines.yml pipeline

All of the code is located in the GitHub repo listed above, but this pipeline file will need to be used in an Azure DevOps pipeline so you can kick it off to test this process.  If you take a look at this file, you can see Azure Key Vault snippet and the parameters use. 

Andrew_Redman_1-1660940381698.png

 

 

Here is a link to the document for the key vault yaml snippet.  This code downloads all the secrets from the key vault that you specify.  Once you have downloaded all the secrets you can use them throughout the pipeline as you would a typical variable using the key vault secret name as the variable name.  See below we are using `blob-storage-connection-secret`.

Andrew_Redman_2-1660940381708.png

 

 

How to test

To test this, you will just need to run the Azure DevOps pipeline that you created using the `azure-pipelines.yml` file.  When that run completes, we can take a look at the output from the `Deploy Function App` step and you will see the following:

Andrew_Redman_3-1660940381720.png

 

 

The log confirms that your setting was updated and notice that the actual value it’s using to replace is obfuscated from the log to keep your secrets…well secret!  Just to double check you can go out to the Azure portal, to the Function App and confirm the setting there.  In our case we are looking for this key vault value to be put in the app settings:

 

Key Vault -> Secret -> blob-storage-connection-secret

Andrew_Redman_4-1660940381725.png

 

 

Function App Service

Andrew_Redman_5-1660940381727.png

 

 

That’s it!  Thanks for reading and/or watching.  Please comment with any questions.

 

 

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.