Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Azure Key Vault is a secure secret, key, and certificate store. Azure Key Vault can ensure that your tokens and secrets are stored securely and easily accessed by your pipeline without exposing them in plain text. Azure Pipelines provides built-in tasks that enable you to retrieve secrets from Azure Key Vault during pipeline execution.
In this unit, learn ways to use Azure Key Vault with YAML pipelines for security tokens and secrets management.
Azure Key Vault, Service Principal and YAML Pipeline. Follow the steps to create the resources: Use Azure Key Vault to secure secrets
One way to use Azure Key Vault with YAML pipeline templates is to create a variable group that references the Key Vault. Here are the steps:
$(keyVaultSecret)
. Use this variable to retrieve the secret from Azure Key Vault.Now, you can reference the variable group in your YAML pipeline templates using the following syntax:
variables:
- group: <variable group name>
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: '<Azure subscription service connection>'
KeyVaultName: '<Key Vault name>'
SecretsFilter: '*'
RunAsPreJob: true
Another way to use Azure Key Vault with YAML pipeline templates is to pass the secret as a parameter to the template.
In Azure DevOps, create a new pipeline and choose YAML.
In the pipeline, define a parameter for the secret:
parameters:
- name: keyVaultSecret
type: string
In the pipeline, use the AzureKeyVault task to retrieve the secret:
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: '<Azure subscription service connection>'
KeyVaultName: '<Key Vault name>'
SecretsFilter: '$(keyVaultSecret)'
In the pipeline, pass the secret as a parameter to the template:
- template: template.yaml
parameters:
keyVaultSecret: $(keyVaultSecret)
Replace <Azure subscription service connection>
and <Key Vault name>
with your own values.
A third way to use Azure Key Vault with YAML pipeline templates is to combine variables, tokens, and Azure Key Vault.
Set the value of the variable to $(keyVaultSecret)
and mark it as a secret. Use variable to retrieve the secret from Azure Key Vault.
In your YAML pipeline template, use the $(keyVaultSecret)
variable to retrieve the secret from Azure Key Vault:
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: '<Azure subscription service connection>'
KeyVaultName: '<Key Vault name>'
SecretsFilter: '$(keyVaultSecret)'
To tokenize the value of the secret, use the $(keyVaultSecret)
variable in your pipeline:
steps:
- script: |
echo $(keyVaultSecret)
This outputs the value of the secret at runtime.
If you want to use the secret as an environment variable in your pipeline, you can set the environment variable in a script step:
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: '<Azure subscription service connection>'
KeyVaultName: '<Key Vault name>'
SecretsFilter: '$(keyVaultSecret)'
- script: |
export MY_SECRET=$(keyVaultSecret)
This sets the MY_SECRET
environment variable to the value of the secret.
Create a new YAML pipeline that deploys an Azure Resource Manager template that references a secret stored in Azure Key Vault. Use the AzureKeyVault task to retrieve the secret and pass it as a parameter to the template. Verify that the pipeline can successfully deploy the template without exposing the secret in plain text.
Suggested Lab: Integrate Azure Key Vault with Azure DevOps
For more information about Azure Key Vault and YAML pipelines, see:
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in