In our Azure environment, we are using a number of secrets and by using AKS csi driver plugin, we could eliminate the usage secret values in Variable groups of Azurepipleines as aks could directly connect to the key vault using csi driver.
But, still creation of secrets to the key vault is a manual task and we are trying to automate the secret creation using azuredevops pipeline, where we don’t want to expose the secret values either in a file or nor in variable group locked values(because we eliminated that already by using csi driver capability)/
is there any Azuredevops task or extension or any other best approach to create the secrets in key vault without exposing the values ?
2
Answers
There is no best way for password generation in Azure DevOps.
The same rules apply here for generating passwords in general.
Take a look here:
Then just save it in the Key Vault.
What you can do is also add this line to the script:
This line will cause displaying
$password
as***
in the output.Here is a way to populate Azure Key Vault secrets via ADO Variable Groups stored as secrets.
The gist is:
Setup ADO Variable Group with corresponding Secrets
PowerShell to convert Variable to Secure String and write via CLI to an Azure Key Vault
$secretvalue = ConvertTo-SecureString $env:Mapped_Secret -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName ${{ parameters.keyVaultName }} -Name ${{ parameters.secretName}} -SecretValue $secretValue
There is also is an example of a templated YAML task for this.