Please don’t mind my question as I’m not versed in spring boot, but I’ve been given a task to find a way to eliminate the use of password in application-test.properties file and use Azure Key Vaults to retrieve that password.
I’ve read a bit about it on the internet but was unable to find a way easy enough for me to understand. Please let me know if it’s possible.
Right now, we’re using Azure DevOps to make builds and in Pipelines, I use sed to enter the password there so there’s no password stored on the version control.
2
Answers
Azure Key Vaults are provided as a web service, meaning that each secret (passwords, connection strings, etc.) stored within can be fetched via an simple HTTPS GET call to that service. What we do is place the Key Vault URI for a particular secret in our configuration files. Then the calling application needs code which will pull the secret from the Key Vault itself. Because the Key Vault has restricted access, a security policy should be in place that allows the calling application to Read and Get it’s secrets. This means that the Key Vault URI’s in your config files, don’t actually allow anyone to fetch a secret, so they are safe there, even if someone obtains them.
TIP: If you remove the version tag from the URI, it will always fetch the ‘latest’ version of a secret.
Azure Key Vaults can be easily integrated with Azure DevOps
Variable Groups.All you need to do is create a variable group (
Pipelines > Library > Variables groups) and toggle the optionLink secrets from an Azure key vault as secrets. Below is sample screenshot of how you can achieve this.You can then include the variable group within your build pipelines and use
ReplaceTokentask to replace the variables in theapplication-test.propertiesfile