Azure Key Vault is a cloud service that provides secure storage and access to secrets such as API keys, passwords, certificates, or cryptographic keys. To enhance security and disable public access, Azure Key Vault can be integrated with Private Endpoint powered by Azure Private Link. This private endpoint uses a private IP address from your VNet and brings the service into your VNet, effectively eliminating exposure from the public Internet by traversing traffic between your virtual network and the service over the Microsoft backbone network.
Prerequisites to achieve this scenario.
- Self-Hosted Agent in Azure DevOps
- Azure Key Vault
- Virtual Network
- Subnet in the Virtual Network
- Set Access policy for the service connection with Get and List permissions to access secrets from Yaml/Library section.
Accessing Key Vault from yaml with Private Endpoint enabled
Ensure that the Key Vault private endpoint connection is approved. This document provides detailed steps for integrating Key Vault with Azure Private Link.
The job below is running on a self-hosted agent using the service connection to get access to Azure Key Vault. I have added a cmdLine task to create a file and retrieve secrets from Key Vault.
Below is the output of retrieving secrets from Azure Key Vault after running the Azure DevOps pipeline.
Link Secrets from Azure Key vault as variables
I have whitelisted the IP address (in my case, ADO is hosted on Central United States) from the Azure Key Vault Networking section to link secrets. This is an inbound connection originating from Azure DevOps services to Azure Key Vault via Private Endpoint.
Below is the official documentation that lists IP addresses based on different regions.
Here is the final output screen that shows the successful linking of secrets from Azure Key Vault.
