Utilizing Azure Key vault with Private link in DevOps

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Azure Key Vault is a cloud service that provides secure storage and access to secrets such as API keys, passwords, certificates, or cryptographic keys. To enhance security and disable public access, Azure Key Vault can be integrated with Private Endpoint powered by Azure Private Link. This private endpoint uses a private IP address from your VNet and brings the service into your VNet, effectively eliminating exposure from the public Internet by traversing traffic between your virtual network and the service over the Microsoft backbone network.

 

Prerequisites to achieve this scenario.

  • Self-Hosted Agent in Azure DevOps
  • Azure Key Vault
  • Virtual Network
  • Subnet in the Virtual Network
  • Set Access policy for the service connection with Get and List permissions to access secrets from Yaml/Library section.

 

Accessing keyvault from yaml with Private Endpoint enabled

 

Ensure that the private endpoint connection is approved. This document provides detailed steps for integrating Key Vault with Azure Private Link.

 

Ramya_Gangula_0-1681929689139.png

 

The job below is running on a self-hosted agent using the service connection to get access to Azure Key Vault. I have added a cmdLine task to create a file and retrieve secrets from Key Vault.

 

Ramya_Gangula_1-1681929689150.png

 

Below is the output of retrieving secrets from Azure Key Vault after running the Azure DevOps pipeline.

 

Ramya_Gangula_2-1681929689157.png

 

Link Secrets from Azure Key vault as variables

 

I have whitelisted the IP address (in my case, ADO is hosted on Central United States) from the Azure Key Vault Networking section to link secrets. This is an inbound connection originating from Azure DevOps services to Azure Key Vault via Private Endpoint.

Below is the official documentation that lists IP addresses based on different regions.

 

Ramya_Gangula_3-1681929689163.png

 

Here is the final output screen that shows the successful linking of secrets from Azure Key Vault.

 

Ramya_Gangula_4-1681929689167.png

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.