Using Azure Key Vault secrets in Azure DevOps Pipelines

Our applications use all sorts of sensitive information and it’s easy to store this sensitive information in an unsecured way. For instance, by putting database connection strings inside your appsettings.json file you can expose your database user name and passwords to others who shouldn’t have access to that information.

One way of storing secrets in a more secure way is to put those secrets inside your Azure Build Pipeline as shown below:

This is a better solution as now the sensitive information is outside of the code base and stored securely inside your DevOps Pipeline. Now only users with access to the Pipeline are able to see any sensitive information. This may be OK for you but you might want to further restrict who can see this sensitive information and put it in a more secure place.

Another drawback to this solution is that you may have lots of variables that are shared across multiple pipelines. You will need to update each pipeline when you want to change a variable.

This is where the concept of Variable Groups come in.

Variable Groups

You can create Variable Groups in your project which essentially group together a number of variables and allow those variables to be used across multiple pipelines within your project. Below is a guide on how to create a new Variable Group

  1. Click on the Library link under Pipelines

2. Click the Add Variable Group button

3. Name the Variable Group and click the Add button to start adding variables to it.

You can see I have added a new variable called SomeSecret with a value.

4. You can now click the Save button and this will create the new Variable group

You now have a Variable Group you can use within your pipelines. Next is a quick detour to explain another option for storing secrets.

Azure Key Vault

Storing secrets inside a Variable Group is great but you may have a number of secrets that are used across multiple applications, and you want to access and manage them from a central location. These secrets might be used not only in Azure DevOps but across all your applications and across multiple projects.

This is where Azure Key Vault comes in. Azure Key Vault is an Azure service that lets you centrally manage secrets, keys, and certificates all within Azure. I will demonstrate how to create a new Azure Key Vault using the Azure Portal and how to link this to a Variable Group inside Azure DevOps.

Creating a new Azure Key Vault

  1. Search for Key Vault in the Azure Portal

2. When inside Azure Key Vault click the Create button to start creating a new Azure Key Vault

3. Fill out the details of your new Key Vault

4. Click the Review + create button to create your new Key Vault

Adding secrets to Azure Key Vault

Now we are going to add our secrets to our new Key Vault

  1. Open your new Key Vault and click on Secrets

2. Click on the Generate/Import button to create a new secret

3. Fill out the details of your new secret and click Create

Now you have a new Key Vault in Azure and had added your secrets to it, we can link this to the Variable Group we created above.

Linking Azure Key Vault to DevOps Variable Group.

If we go back to our newly created Variable Group in Azure DevOps and open it up we see a toggle called “Link Secrets from Azure key vault as Variables”

If we toggle that on, we get to put in the details of our Azure Subscription and select the key vault we created above.

We can see the Variable Group above is linked to our Azure Key Vault and we have added a number of secrets from our key vault.

This will have the effect of making these Secrets available to our Pipelines and Releases as Variables.

Using Secrets as Variables in Pipelines.

The next step is to actually use these variables inside our Pipelines. Currently we can only do this via the YAML file. The way we do this is to use the variables section inside our YAML. This is shown below is a sample YAML file

Notice how we set the Variable Group name in the variables -group section. Once this is done, we can use the variable in the YAML file by referencing the variable name like any other Pipeline variable.

Now we have one central place to manage all our secrets and these secrets will propagate to our build pipelines in Azure DevOps.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lee Dale

I am a lead software developer with a keen interest in cybersecurity . Currently studying for a MSc in Advanced Information Security and Digital Forensics.