Reputation: 37
KeyVault Secret to DevOps - Python
I have a Azure keyvault defined with secrets which i can access in devops build pipeline using "Azure KeyVault" task. Now i need to pass the secret variable to python inline script.
Since it is encrypted, python cannot read the value directly. How can i decrypt and pass them. The secret holds Databricks Access token. We are trying to create Databricks cluster using DevOps pipeline.
My Yaml has following tasks
- Azure KeyVault
- Powershell to convert secret to variable - https://github.com/Microsoft/azure-pipelines-tasks/issues/8345
- Python inline script with argument. For the arguement, i tried with actual secret name as $(secretname) and it printed ***. Then i tried converting to refer the environment variable created in powershell and python passed the variable name as is.
I tried the following.
Use powershell to convert from secrets to environment variable. I tried to first convert secret to variable using this link - https://github.com/Microsoft/azure-pipelines-tasks/issues/8345 . When called in python as arguement, instead of passing the secret value it passed the name of the variable with the $ symbol inside python.
We do not want to use variable groups due to some restrictions
Edit: Updated to add more details.
Upvotes: 0
Views: 2295
Answers (1)
Reputation: 30343
The task can be used to fetch the latest values of all or a subset of secrets from the vault, and set them as variables that can be used in subsequent tasks of a pipeline
As it is described above for azure keyvault task. You can directly use the secrets from in azure keyvault by wraping them in "$(secretname)" in the python scripts. You donnot need extra powershell task to convert it to environment variable.
When you print it out in the console, it will be encrypted and output "***" for security reason. But the actual value of the secret is visible to your code.
I test with below example python script to confirm that the secret value can be accessed in the python script.
I created a test keyvault with a secret named "Password" and its value is "123456789". The the python script task out "111111" in the console, which confirms that the secret is visiable to python script.
You can follow the detailed steps in this document to use the secret from keyvault.
Upvotes: 2
Related Questions
- Make Azure Keyvault secrets available in entire pipeline
- Unable to access keyvault from Azure DevOps from a different resource description
- Read key vault secrets in Azure DevOps pipeline
- How to use key vault secret on Powershell that run on DevOps pipeline
- Need recommendation on updating secrets to KeyVault
- How to get keyvault secret output in Azure DevOps
- Azure Databricks - Need to replace secrets in Notebook during CI/CD process
- Azure DevOps Build Pipeline can't get secrets from Key Vault when secured with vnet and firewall
- How to use/remap Azure KeyVault secret as Azure DevOps Pipeline environment variable?
- How to write a secret to azure key vault from Azure DevOps pipeline?