Login/Register
Dynamic access to Key Vault secret variables in Azure DevOps
Asked Answered
Solved azure-devopsazure-pipelinesazure-keyvaultazure-yaml-pipelines
P

1

6

I have a Azure Key Vault with different keys (e.g. Key1, Key2, Key3). In some setting, which is dynamically read in one pipeline task, I have value which says which key to use (lets KeyName variable be 'Key2'). How can I read the secret value of the Key2 in the pipeline?

I have tried different combinations and none is working for me.

Test pipeline no. 1 - using the group variable connected to the Key Vault (to make it easier, the KeyName is static here, but in reality, it is set through powershell script during the pipeline):

jobs:
- job: JobA
  variables:
  - group: KeyVaultGroup #Key vault have secret values "Key1,Key2,Key3..."
  - name: KeyName
    value: Key2
  - name: MyValue
    value: $[ variables[variables.KeyName] ]
  steps:
  - powershell: |
      Write-Host "Var1 $($env:VARENV1)"
      Write-Host "Var2 $($env:VARENV2)"
    env:
      VarEnv1: $(MyValue)
      VarEnv2: $($(KeyName))

Result is:

Var1 
Var2 $(Key2)

MyValue is not working, because the variable is evaluated before the key vault variables are loaded. And when the KeyName is set during the pipeline, it will not work because that too (but this could be solved by using separate job and using output variables to set the KeyName - like in test example no. 2). Expression $($(KeyName)) is not working, because it will not recursively expand the variable (bug?).

Same problem is when the AzureKeyVault task is used to read the Key Vault values, because it is triggered too late.

Test no. 2 - two separate jobs: I have used 2 jobs - one to read the key vault and Key name (Job A) and second for the rest (Job B). Problem is, that there is no way how to access the key vault secret values loaded on job A from the job B. I can use only output variables from Job A in the Job B through the dependencies.JobA... but the task AzureKeyVault is not exporting the values as output variables. To do so I will need to use e.g. Powershell task, but in this case, I will need to map the secret values as environment variables into the powershell task, but it means I will loose the dynamic part I need, because it will be statically mapped ( I need to be able to add/remove the values in the key vault without need to change the pipeline). This is no go or I do not know the way how to access the secret variables between jobs without using output variables.

Question: How to read the secure value from key "Key2" when the Key2 is saved as variable value KeyName and is loaded during the pipeline?

Puppis answered 10/8, 2020 at 13:52 Comment(0)
C
5

In this case the best way is to use Azure CLI task with azure keyvault command:

  - task: AzureCLI@2
    inputs:
      azureSubscription: 'rg-the-code-manual'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        $secretValue =  az keyvault secret show --vault-name tcm-kv --name $(keyName) --query value
        echo $secretValue

The content of this script is evaluated at runtime so you can set keyName just before this task and all will be fine. And if you need value of secret as variable you can use logging command to create such.

The easiest way to get rid of double quote will be change output to tsv.

$secretValue =  az keyvault secret show --vault-name tcm-kv --name $(keyName) --query value -o tsv
Clam answered 10/8, 2020 at 21:45 Comment(3)
Just want to add, that the az command will return the value enclosed into double quote characters, it means like "myvalue". It gives me some time to realize where is the problem... :-) Just for people reading this to save them some time...Puppis
@Puppis Thank you for pointing this out. I edited my answer with example how we can get rid of ".Clam
If anyone face any issue for the above command in shell use it as secretValue=$(az keyvault secret show --vault-name tcm-kv --name $(keyName) --query value -o tsv) this will workZulmazulu

© 2022 - 2024 — McMap. All rights reserved.