Reference a keyvaul secret in a task from an environment variable in Azure devops pipelines

Bennimi
November 30, 2023
145 views
0 votes
2 Answers

I know it sounds convoluted by bear with me:
I define a secret variable

- name: SECRET_VAR
  value: dev-secret

which I can use to get the secret from a keyvault by its name (dev-secret)

    - task: AzureKeyVault@2
      displayName: Load Key Vault Secrets
      inputs:
        azureSubscription: $(SUBSCRIPTION_SERVICE_ACCOUNT)
        KeyVaultName: $(KEYVAULT_NAME)
        SecretsFilter: $(SECRET_VAR)
        RunAsPreJob: true

I now want to use the secret in subsequent jobs with

    - task: Bash@3
      name : getToken
      inputs:
        targetType: 'inline'
        script: |
          echo "##vso[task.setvariable variable=myToken;isOutput=true]$(SECRET_VAR)"

and this obviously does not work as it evaluates to the dev-secret string but not the secret itself..
For sure I can use it with

echo "##vso[task.setvariable variable=myToken;isOutput=true]$(dev-secret)"

But since I have multiple pipelines that have to get different secrets I need to make it dynamic.
how can I achieve this?

Answers

You should set the "SecretFilter" to ‘*’, and prepare serveral secrets in azure keyvault. I have added two as my sample:

and below is my code, just apply to your own parameters and run. it will achieve your dynamic tokens.

parameters:
- name: serviceConnectionName
  type: string
  default: xxx
- name:  KeyVaultName
  type: string
  default: xxx

trigger: none

pool:
  vmImage: ubuntu-latest

steps:
- task: AzureKeyVault@2
  displayName: Load Key Vault Secrets
  inputs:
    azureSubscription: ${{ parameters.serviceConnectionName }}
    KeyVaultName: ${{ parameters.KeyVaultName }}
    SecretsFilter: '*'
    RunAsPreJob: true 

- task: Bash@3
  name : getToken
  inputs:
    targetType: 'inline'
    script: |
      echo "##vso[task.setvariable variable=myToken;isOutput=true]$(dev-secret)"

- task: Bash@3
  name : getToken1
  inputs:
    targetType: 'inline'
    script: |
      echo "##vso[task.setvariable variable=myToken1;isOutput=true]$(dev-secret-1)"

- task: Bash@3
  name : echoToken
  inputs:
    targetType: 'inline'
    script: |
      echo $(getToken.myToken)
      echo $(getToken1.myToken1)

As it’s key valut secret, which will NOT mapped to environment. You can use $(${{ variables.SECRET_VAR }}) in the logging command, and invoke in the next job.

echo "##vso[task.setvariable variable=myToken;issecret=true;isOutput=true]$(${{ variables.SECRET_VAR }})"

My yaml below:

variables:
  - name: SECRET_VAR
    value: dev-secret
  - name: SUBSCRIPTION_SERVICE_ACCOUNT
    value: ARMConn3
  - name: KEYVAULT_NAME
    value: keyvalut4


jobs:
  - job: A
    pool:
      vmImage: 'Ubuntu-latest'
    steps:
      - task: AzureKeyVault@2
        displayName: Load Key Vault Secrets
        inputs:
          azureSubscription: $(SUBSCRIPTION_SERVICE_ACCOUNT)
          KeyVaultName: $(KEYVAULT_NAME)
          SecretsFilter: $(TEST_VAR)
          RunAsPreJob: true 

      - task: Bash@3
        name : getToken
        inputs:
          targetType: 'inline'
          script: |
            echo "##vso[task.setvariable variable=myToken;issecret=true;isOutput=true]$(${{ variables.SECRET_VAR }})"

      - bash: echo $(getToken.myToken)  >> test1.txt

      - task: PublishPipelineArtifact@1
        inputs:
          targetPath: '$(Pipeline.Workspace)/s/test1.txt'
          artifact: 'test1'
          publishLocation: 'pipeline'
        
  
  - job: B
    dependsOn: A
    pool:
      vmImage: 'ubuntu-latest'
    variables:
      Tokenvalue: $[ dependencies.A.outputs['getToken.myToken'] ]
    steps:
    - bash: "echo $(Tokenvalue)"
      name: echovar
      
    - bash: echo $(Tokenvalue) >> test2.txt
    - task: PublishPipelineArtifact@1
      inputs:
        targetPath: '$(Pipeline.Workspace)/s/test2.txt'
        artifact: 'test2'
        publishLocation: 'pipeline'

Check in Job A:
test1.txt:

Check in Job B test2.txt：

Please signup or login to give your own answer.

Click here to cancel reply.