Azure pipeline - Using values from JSON secret to build an environment variable

pikkabird
September 27, 2024
56 views
0 votes
2 Answers

We have a secret in Azure Key Vault ("my-top-secret") that was generated as part of an automated deployment and that looks like this:

{"primaryKey": "someKey1", "secondaryKey": "someKey2", "primaryUrl": "someUrl.net"}

We need to build a connection string dynamically using one of the keys and "primaryUrl" from the secret.

Would it be a reasonable approach to do so in our deployment yaml using dependent environment variables?

I’m very new to yaml and Azure development, but based on the documentation, I believe these would be runtime variables, so this is the syntax I came up with:

  env:
    - name: my-top-secret
      value: my-top-secret@azurekeyvault
    - name: my-top-secret-values
      value: $[convertToJson(my-top-secret)]
    - name: connection-string
      value: "$[my-top-secret-values.primaryUrl],abortConnect=false,ssl=true,password=$[my-top-secret-values.primaryKey]"

Thank you.

Answers

- Nacho
- September 27, 2024 at 7:08 am
- 0 votes
0
@pikkabird

You can link the Keyvault to Azure DevOps Variable group, and extract the JSON values in a script step, such that you set your desired connection string as an environment variable, so its available for a reuse by other steps after it.
```
trigger:
- main

pool:
  vmImage: ubuntu-latest

variables:
  - group: variableGroupName

jobs:
  - job: ExtractSecretValues
    steps:
      - powershell: |
          $secretJson = '$(my-top-secret)'
          $secretObject = ConvertFrom-Json $secretJson
          $connectionString = "$($secretObject.primaryUrl),abortConnect=false,ssl=true,password=$($secretObject.primaryKey)"
          Write-Host "##vso[task.setvariable variable=connectionString]$connectionString"

        displayName: "Extract and use secrets from Azure Key Vault"

      - script: |
          echo "Connection string: $(connectionString)"
        displayName: "Display constructed connection string"
```
- Here are steps to link the secret to variable group: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/link-variable-groups-to-key-vaults?view=azure-devops
Login or Signup to reply.

- BrightRanMSFT
- September 27, 2024 at 11:18 am
- 0 votes
0
In Azure Pipelines, to access secrets from Azure Key Vault, you can configure following the steps below:
1. In the Azure DevOps project where you want to run the pipeline, go to Project Settings > Service connections to create an ARM connection (Azure Resource Manager service connection) if you do have one.
  - If you have an existing service principal (Application) in your Microsoft Entra ID tenant, you can select manual option to create the ARM connection with the existing service principal.
  - If no existing service principal, you can select automatic option. It will automatically create a new service principal into the tenant for use.
2. Open the service principal used by the ARM connection. Remember the Display name and Application (client) ID of it. They will be used in the subsequent steps.
3. On Azure Portal, open the Key Vault where you store the secrets. Go to Settings > Access configuration to enable the option "Vault access policy".
4. On the the Key Vault, go to Access policies to assign the service principal with the Get and List permissions for Secret Permissions. When you assigning the permissions, you can find the service principal via searching for the Display name of it and ensure the ID of selected service principal is also consistent with that of the one created above.
5. In the pipeline, you can use the Azure Key Vault task (AzureKeyVault@2) to download specified secrets from Azure Key Vault. This task will automatically use the same names of downloaded secret to set up pipeline secret variables with the secret values. Then the subsequent tasks within the same pipeline job can use these secret variables.
```
# azure-pipelines.yml

steps:
- task: AzureKeyVault@2
  displayName: 'Download secrets'
  inputs:
    azureSubscription: 'ArmConnection'  # Name of ARM connection.
    KeyVaultName: 'BrightRanKV'  # Name of Key Vault.
    SecretsFilter: 'my-top-secret'  # Name of secret.

- pwsh: |
    $jsonObj = ConvertFrom-Json -InputObject ${env:MY_TOP_SECRET}
    $primaryKey = $jsonObj.primaryKey
    $secondaryKey = $jsonObj.secondaryKey
    $primaryUrl = $jsonObj.primaryUrl
    $connectStr = "${primaryUrl},abortConnect=false,ssl=true,password=${primaryKey}"
    Write-Host "##vso[task.setvariable variable=connectionString;issecret=true]${connectStr}"
  env:
    MY_TOP_SECRET: $(my-top-secret)
  displayName: 'Set Connection String'

# In script tasks, such as Bash, PowerShell, etc.., it is recommended map the secret variables as environment variables, and then call the environment variables in the scripts.
# You also use can the expression '$(connectionString)' as an input value on other tasks which need to use the Connection String.
- pwsh: |
    Write-Host ${env:CONNECTION_STRING}
  env:
    CONNECTION_STRING: $(connectionString)
  displayName: 'Use Connection String'
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Azure pipeline – Using values from JSON secret to build an environment variable

Answers