skip to Main Content

In our Azure environment, we are using a number of secrets and by using AKS csi driver plugin, we could eliminate the usage secret values in Variable groups of Azurepipleines as aks could directly connect to the key vault using csi driver.

But, still creation of secrets to the key vault is a manual task and we are trying to automate the secret creation using azuredevops pipeline, where we don’t want to expose the secret values either in a file or nor in variable group locked values(because we eliminated that already by using csi driver capability)/

is there any Azuredevops task or extension or any other best approach to create the secrets in key vault without exposing the values ?

2

Answers


  1. There is no best way for password generation in Azure DevOps.

    The same rules apply here for generating passwords in general.

    Take a look here:

    password=$(cat /dev/urandom | tr -dc 'A-Za-z0-9_!@#$%^&*()-+=' | head -c24)
    
    

    Then just save it in the Key Vault.

    What you can do is also add this line to the script:

    echo "##vso[task.setvariable variable=somepassword;issecret=true]$password"
    

    This line will cause displaying $password as *** in the output.

    steps:
    - script: |
        password=$(cat /dev/urandom | tr -dc 'A-Za-z0-9_!@#$%^&*()-+=' | head -c24)
        echo "##vso[task.setvariable variable=somepassword;issecret=true]$password"
      displayName: 'Run a multi-line script'
    - script : |
        echo '$(somepassword)'
      displayName: pretend to be azure cli
    

    enter image description here

    Login or Signup to reply.
  2. Here is a way to populate Azure Key Vault secrets via ADO Variable Groups stored as secrets.

    The gist is:

    • Setup ADO Variable Group with corresponding Secrets

    • PowerShell to convert Variable to Secure String and write via CLI to an Azure Key Vault

      $secretvalue = ConvertTo-SecureString $env:Mapped_Secret -AsPlainText -Force
      $secret = Set-AzKeyVaultSecret -VaultName ${{ parameters.keyVaultName }} -Name ${{ parameters.secretName}} -SecretValue $secretValue

    There is also is an example of a templated YAML task for this.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search