Question 104112 in Azure Question posted in
The official documentation to get you started can be found here.

Make Azure Keyvault secrets available in entire pipeline

In order to access my secret from the keyvault, I run

        - task: AzureKeyVault@2
          inputs:
            azureSubscription: $(KEYVAULT_SC_DEV)
            KeyVaultName: $(KEYVAULT_NAME_DEV)
            SecretsFilter: APICREDENTIALS
            RunAsPreJob: true

which works fine.

However, I have multiple jobs and am now facing the trouble of having to repeat these lines too many times.

So, is there a way to tell Azure Devops that this secret should be set globally for each job/stage/step.. etc?

Tags:

3

Answers


  1. 0

    If you want these secrets available to multiple pipelines one way would be to use the library variables

    enter image description here

    And reference these in your pipeline
    https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#use-a-variable-group

    If you want these secrets available to multiple stages/jobs/steps within the same pipeline one way would be to create a pipeline variable

    variables:
  secretValue: ''

jobs:
- job: RetrieveSecret
  steps:
  - task: AzureKeyVault@2
    inputs:
      azureSubscription: $(KEYVAULT_SC_DEV)
      KeyVaultName: $(KEYVAULT_NAME_DEV)
      SecretsFilter: APICREDENTIALS
      OutputVariable: secretValue

    Here the RetrieveSecret job retrieves the secret from the Key Vault and stores it in the secretValue pipeline variable.Once the secret has been stored in the pipeline variable, you can reference it from any job or task in your pipeline by using the $(pipelineVariableName) syntax.

    The caveat here is that pipeline variables are scoped to a specific job, if you wanted to use the same variable across different jobs then you need to pass this value to the next job sort of like below

    jobs:
- job: Job1
  steps:
  - task: AzureKeyVault@2
    inputs:
      azureSubscription: $(KEYVAULT_SC_DEV)
      KeyVaultName: $(KEYVAULT_NAME_DEV)
      SecretsFilter: APICREDENTIALS
      OutputVariable: secretValue
- job: Job2
  inputs:
    secretInput: $(secretValue)
  steps:
  - task: SomeTask
    inputs:
      secret: $(secretInput)
    Login or Signup to reply.
  2. 0

    If you want to make Azure Keyvault secrets available across multiple jobs or stages with AzureKeyVault@2task, you can use outputs in a different stages.

    For example, I’ve set secret password in my KeyVault.

    Across multiple jobs:

     variables:
     # map the output variable from A into this job
     password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]

    Across multiple stage:

    variables:
      # map the output variable from A into this job
      password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]

    Across whole job :

     - task: AzureKeyVault@2
   RunAsPreJob: true ## Make the secret(s) available to the whole job

    Full yaml sample:

    trigger:
- none

pool:
  vmImage: ubuntu-latest

stages:
- stage: One
  jobs:
  - job: A
    steps:
    - task: AzureKeyVault@2
      inputs:
       azureSubscription: ‘your subscription‘
       KeyVaultName: ‘your keyvault name’
       SecretsFilter: '*'
       RunAsPreJob: true
    - task: Bash@3
      inputs:
        targetType: 'inline'
        script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true]$(password)"'
      name : ouputvariable
  - job: B
    dependsOn : A 
    variables:
     # map the output variable from A into this job
     password-job-b: $[ dependencies.A.outputs['ouputvariable.mypassword'] ]
    steps:
    - script: echo this is password :$(password-job-b) # this step uses the mapped-in variable
- stage: Two
  variables:
      # map the output variable from A into this job
      password-stage-two: $[ stageDependencies.One.A.outputs['ouputvariable.mypassword'] ]
  jobs:
  - job: C
    steps:
    - script: echo this is password :$(password-stage-two) # this step uses the mapped-in variable

    Result across multiple jobs:
    Result across multiple jobs

    Result across multiple stages:
    Result across multiple stages

    UPDATE

    When issecret is set to true, the value of the variable will be saved as secret .

    script: 'echo "##vso[task.setvariable variable=mypassword;isOutput=true;issecret=true]$(password)"'
    Login or Signup to reply.
  3. 0

    We can use "variable groups" to pass the values into a YAML pipeline, which we can make available across all.

    Steps1:
    Store Key vault key values into Variable Groups
    how to use keyvault

    Step2:
    Use that Variable group into any pipelines
    Here is the reference: tutorial from Thomas Thornton

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search