Blog Post

Healthcare and Life Sciences Blog
3 MIN READ

Getting secrets from Key Vault in YAML pipeline

Andrew_Redman's avatar
Andrew_Redman
Icon for Microsoft rankMicrosoft
Aug 19, 2022

Keeping your connection strings and secrets secure is not necessarily only a concern of just one type of industry.  The best practice would be to keep security at the top of your mind regardless of if you are working on an app for a company in the Healthcare space or Finance, Retail, etc….Azure Key Vault can help in doing just that.

 

If you have ever created an Azure App Service or Azure Function App that uses app settings, then you have dealt with the problem of how you are going to get those settings secure and updated correctly in each environment.  You need a secure location to store this information and then be able to access it during your deployment process.  Azure Key Vault and using the Azure Key Vault task inside a deployment pipeline in Azure DevOps can solve this problem for you.  If you prefer video, then have a look at this as it will walk you through the steps of getting this setup.

What’s the problem?

You want your code ‘bits’ to not have to worry about the configuration items that might change from environment to environment, so being a good developer, you have created variables to protect you from these changing values.  Now how do you automate your deployment to consider these changing values?  I’d like to suggest using the Azure Key Vault task yaml snippet as part of your yaml pipeline in Azure DevOps and here’s how you can use it.

 

The Setup

We have the following resources that we are using to demonstrate this setup.

  • Azure Function (python, but can be any language)
  • Key Vault
  • YAML pipeline

This GitHub repo is what we are going to be using as our example: 

 

If you look at the README.md it will give you a good feel for what the repo is doing, but we are going to zoom in to the Key Vault integration.

 

Azure Function App

You will need to make sure you have a function app created that you can use.  There isn’t any special setup you need to do here other than to take note of the app settings that you want to set in your pipeline.

 

Key Vault

Again, you will need to make sure you have a key vault created in Azure to use and it will need to have at least one secret that you want to set as the app setting.  You will also need to make sure that the service connection has Get and List permission in the Key Vaults Access policies.

 

 

This is a good place to point out that an Azure Key Vault currently has 2 permission models: Vault access policy and Azure role-based access control (RBAC).  The model used in this blog post and video is the Vault access policy, but it could also be accomplished with the RBAC approach.  If you are interested in following the RBAC approach, please refer to this document.

 

Azure-pipelines.yml pipeline

All of the code is located in the GitHub repo listed above, but this pipeline file will need to be used in an Azure DevOps pipeline so you can kick it off to test this process.  If you take a look at this file, you can see Azure Key Vault snippet and the parameters use. 

 

 

Here is a link to the document for the key vault yaml snippet.  This code downloads all the secrets from the key vault that you specify.  Once you have downloaded all the secrets you can use them throughout the pipeline as you would a typical variable using the key vault secret name as the variable name.  See below we are using `blob-storage-connection-secret`.

 

 

How to test

To test this, you will just need to run the Azure DevOps pipeline that you created using the `azure-pipelines.yml` file.  When that run completes, we can take a look at the output from the `Deploy Function App` step and you will see the following:

 

 

The log confirms that your setting was updated and notice that the actual value it’s using to replace is obfuscated from the log to keep your secrets…well secret!  Just to double check you can go out to the Azure portal, to the Function App and confirm the setting there.  In our case we are looking for this key vault value to be put in the app settings:

 

Key Vault -> Secret -> blob-storage-connection-secret

 

 

Function App Service

 

 

That’s it!  Thanks for reading and/or watching.  Please comment with any questions.

 

 

Updated Aug 23, 2022
Version 3.0
  • _MartinB's avatar
    _MartinB
    Iron Contributor

    Hi Andrew_Redman ,
    Thanks for the useful article.

    We use Key Vault also as configuration store. Meaning we don't store actual secrets in it but environment specific (non-sensitive) configuration items.

    For those Key Vault entries the secure string obfuscation in Azure DevOps is rather annoying (because it makes troubleshooting harder).

    Is there some way to deactivate the obfuscation for Key Vault entries following a specific naming pattern?

  • Hi _MartinB,

    Glad you found the article useful.

     

    There is not a way, that I am not aware of, to deactivate the obfuscation of secrets in the output of an Azure DevOps pipeline.  It's a security feature of Azure DevOps designed to protect sensitive information and it considers all items coming from Azure Key Vault to be sensitive.  You might be able to achieve what you are looking for with something like Azure App Configuration for your non-sensitive configuration elements.

  • _MartinB's avatar
    _MartinB
    Iron Contributor

    Hi Andrew_Redman,

    We'd love to do just that.
    Unfortunately, support for Azure App Configuration integration is not given for all Azure services. 😞

    We use Azure Synapse but it does not support Azure App Configuration; but it does support Azure Key Vault, so we use AKV as configuration store.