Make Azure Keyvault secrets available in entire pipeline

Question

In order to access my secret from the keyvault, I run

        - task: AzureKeyVault@2
          inputs:
            azureSubscription: $(KEYVAULT_SC_DEV)
            KeyVaultName: $(KEYVAULT_NAME_DEV)
            SecretsFilter: APICREDENTIALS
            RunAsPreJob: true 

which works fine.

However, I have multiple jobs and am now facing the trouble of having to repeat these lines too many times.

So, is there a way to tell Azure Devops that this secret should be set globally for each job/stage/step.. etc?

Answer 1

The easiest way to link the secrets from your Azure Key Vault. First, you need to create a service connection with proper access rights (Get and List secret permission) on the Service Principal or Managed Identity.

If you are in virtual network, then you need to add your virtual machine IP address in the Firewall section under the Settings > Networking tab.

Then, you can link and then add the necessary secrets as a pipeline variable group:

Under the Azure Subscription, select your service connection.

After that, you can use these variables groups in your azure-pipelines.yaml file:

variables:
- group: database-passwords

steps:
- bash: |
    echo "Secret: $SECRET_ENV_VAR"
  displayName: Print out the secret name value
  env:
    SECRET_ENV_VAR: $(your_secret_name)

Answer 2

If you want to make Azure Keyvault secrets available across multiple jobs or stages with AzureKeyVault@2task, you can use outputs in a different stages.

For example, I’ve set secret password in my KeyVault.

Across multiple jobs:

 variables:
     # map the output variable from A into this job
     password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]

Across multiple stage:

variables:
      # map the output variable from A into this job
      password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]

Across whole job :

 - task: AzureKeyVault@2
   RunAsPreJob: true ## Make the secret(s) available to the whole job

Full yaml sample:

trigger:
- none

pool:
  vmImage: ubuntu-latest

stages:
- stage: One
  jobs:
  - job: A
    steps:
    - task: AzureKeyVault@2
      inputs:
       azureSubscription: ‘your subscription‘
       KeyVaultName: ‘your keyvault name’
       SecretsFilter: '*'
       RunAsPreJob: true
    - task: Bash@3
      inputs:
        targetType: 'inline'
        script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true]$(password)"'
      name : ouputvariable
  - job: B
    dependsOn : A 
    variables:
     # map the output variable from A into this job
     password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]
    steps:
    - script: echo this is password :$(password-job-b) # this step uses the mapped-in variable
- stage: Two
  variables:
      # map the output variable from A into this job
      password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]
  jobs:
  - job: C
    steps:
    - script: echo this is password :$(password-stage-two) # this step uses the mapped-in variable

Result across multiple jobs:

Result across multiple stages:

UPDATE

When issecret is set to true, the value of the variable will be saved as secret .

script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true;issecret=true]$(password)"'

Answer 3

If you want these secrets available to multiple pipelines one way would be to use the library variables

And reference these in your pipeline https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#use-a-variable-group

If you want these secrets available to multiple stages/jobs/steps within the same pipeline one way would be to create a pipeline variable

variables:
  secretValue: ''

jobs:
- job: RetrieveSecret
  steps:
  - task: AzureKeyVault@2
    inputs:
      azureSubscription: $(KEYVAULT_SC_DEV)
      KeyVaultName: $(KEYVAULT_NAME_DEV)
      SecretsFilter: APICREDENTIALS
      OutputVariable: secretValue

Here the RetrieveSecret job retrieves the secret from the Key Vault and stores it in the secretValue pipeline variable.Once the secret has been stored in the pipeline variable, you can reference it from any job or task in your pipeline by using the $(pipelineVariableName) syntax.

The caveat here is that pipeline variables are scoped to a specific job, if you wanted to use the same variable across different jobs then you need to pass this value to the next job sort of like below

jobs:
- job: Job1
  steps:
  - task: AzureKeyVault@2
    inputs:
      azureSubscription: $(KEYVAULT_SC_DEV)
      KeyVaultName: $(KEYVAULT_NAME_DEV)
      SecretsFilter: APICREDENTIALS
      OutputVariable: secretValue
- job: Job2
  inputs:
    secretInput: $(secretValue)
  steps:
  - task: SomeTask
    inputs:
      secret: $(secretInput)

Answer 4

We can use "variable groups" to pass the values into a YAML pipeline, which we can make available across all.

Steps1: Store Key vault key values into Variable Groups how to use keyvault

Step2: Use that Variable group into any pipelines Here is the reference: tutorial from Thomas Thornton