Azure Question posted in
The official documentation to get you started can be found here.

create Azure Keyvault secret without exposing values

My requirement is to automate the creation of secrets in Keyvault without exposing the values of these secrets during the pipeline execution(AzureDevops Server).

tried, different options such as having input paramaters (it will display the values when its perform initialization) , runtime variables etc (list of variables, or dynamic creation as per input is not possible), but couldn’t fulfil our requirements.

Finally planned to use the below script to read values from library group and create the values in key vault. But when we are masking the secret values in Library group (by locking), the secrets are getting created with null value only. So is there any way to retrieve the values secret variables and create them in key vault only if the secret value is different(if existing)

-bash: | 
   az login --service-principal --username $(spid) --password $(spsecret) --tenant $(tenantid)
   az account set --subscription ${{ variables.subscription }}
   az config set extension.use_dynamic_install=yes_without_prompt
   groupID=`az pipelines variable-group list -p myproject --group-name ${{ environment }}-${{ parameters.myapp}}-kv-secret --query '[].id' -o tsv`
   echo "grouup id is $groupID"
   variables=$(az pipelines variable-group variable list -p myproject --group-id $groupID --output json)
   echo "$variables" | jq -r 'keys[] as $k | "($k)=(.[$k].value)"' | while read variable; do
   name=$(echo "$variable" | cut -d= -f1)
   value=$(echo "$variable" | cut -d= -f2)
   if ! az keyvault secret show --vault-name "$(${{ variables.podkv }})" --name "$name" &>/dev/null; then
     expiryDate=$(date -u -d '+2 years' '+%Y-%m-%dT%H:%MZ')
     az keyvault secret set --vault-name "$(${{ variables.podkv }})" --name "$name" --value "$value" --expires $expiryDate
     secretValue=$(az keyvault secret show --vault-name "$(${{ variables.podkv }})" --name "$name" --query value --output tsv)
     if [[ "$secretValue" != "$value" ]]; then
       echo "Failed to create secret $secretName in Key Vault $keyVaultName"
     exit 1
     fi
     if [[ "$secretValue" == "$value" ]]; then
       echo "Created secret $secretName in Key Vault $keyVaultName, hence cleaning the variable from the keyvault"
       az pipelines variable-group variable delete --group-id $groupID --name "$name --yes"
     fi
   fi
   done
Tags:

2

Answers


  1. 0

    My requirement is to automate the creation of secrets in Keyvault without exposing the values of these secrets during the pipeline execution

    When using Azure CLI you can use the --output none output format to keep sensitive information from being displayed in your console.

    Example:

    az keyvault secret set ... --output none

    See None output format for more details.

    Login or Signup to reply.
  2. 0

    I have just test using variable group it works well even with locked mask

    my-pipline.yaml

    parameters:
- name: keyvaultName
  type: string
  default: 'wbtestxxxx'
- name: keyvaultSecretName
  type: string
  default: 'wbtestxxxscr2'
  
variables:
- group: vgtest


steps:
- task: AzureCLI@2
  displayName: Azure CLI
  inputs:
    azureSubscription: DevOpsSub1Connection-Test
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      az --version
      az account show
      az keyvault secret set --name ${{ parameters.keyvaultSecretName }} --vault-name ${{ parameters.keyvaultName }} --value $(secretValue2)

    What’s in azure devops pipeline variable group

    the *** actually mask the value wbsecrevalue2

    enter image description here

    My result:

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search