3

We have an Azure Key Vault task in our release pipeline which downloads some secrets for use in the stage.

In an Inline Azure PowerShell script you can just use the following to get the secret value:

$secretValue = $(nameOfTheSecretInKeyVault)

This works fine.

However we want to move to using scripts in the repo, i.e. poiting the DevOps task to a file path i.e. /somePath/myScript.ps1

So I would need to parameterise the above line of code, as I cannot just change the name in the inline script like I'm currently doing, but I can't get it to work.

I have tried:

$compositeName = "${someParameter}-Application"
$secretValue1 = $($compositeName)
$secretValue2 = $("${compositeName}")
$secretValue3 = env:$compositeName
$secretValue4 = $(${compositeName})

The top line is just building up the name of the secret which it needs to look for. Unfortunately none of these work. Attempt #1, #2 and #4 come back with the string name only, not having actually got the secret value, and #3 errors saying it doesn't exist.

Is there a way to achieve this, or do I simply need to parameterise the secret and pass it into the script from the ADO task?

Improve this question
0

5 Answers 5

Reset to default
2

As you, I couldn't figure out a way to access the variables the log mentions are loaded in the Download secrets task of the job. It did work in inline mode, but not a chance with a script file.

So instead I leveraged the existing wiring (variable group linked to my KeyVault) and just run the command myself at the start of my script:

$mySecretValue = (Get-AzKeyVaultSecret -VaultName "myVault" -Name "mySecret").SecretValueText

From there I could use it as any other variable.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I wrote a complete article on the topic, explaining which syntax works in which circumstances: eiden.ca/devops-keyvault-powershell
2

Either run your KeyVault tasks first, before your PowerShell script, or do it all in PowerShell.

You will need to create a service connection to your Azure subscription from Azure DevOps. Allow the service connection to access the KeyVault. Access the KeyVault from PowerShell or Azure CLI.

E.g. for PowerShell:

(Get-AzKeyVaultSecret -vaultName "Contosokeyvault" -name "ExamplePassword").SecretValueText

Here is a detailed walk through.

Improve this answer

1 Comment

Yes I am running the KeyVault task first, and so it works fine when using the specific name i.e. $secretValue = $(nameOfTheSecretInKeyVault) syntax. I just need to be able to pass in the name of the keyvault secret to use as a parameter. I could resort to Get-AzKeyVaultSecret but it felt like there should be a way to use the KeyVault task and parameterise the name of the key you want to use.
0

There is also native key vault integration now so you can just have your keys read in as a variable group transparently, no Keyvault-specific powershell code required.

https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault

Improve this answer

3 Comments

I would still have to reference the variable group name in the PowerShell to call it from the variable group, so I would have the same problem of how to do that when you don't know which variable you will want when you're writing the script.
@MDBarbier not sure what you mean by "you don't know which variable you will want". You can't just name them the same as the secrets you want in Keyvault? The integration will bring them through with the same names. Are you saying you want to parameterize the secret name? I supposed you could use an expression in the YAML to interpret the code into the system perhaps
Yes looking to parameterise the secret name so the script can be generic and used for multiple pipelines (where the secret name will vary). I think I'll try passing the value to the script as a parameter rather than evaluating it in the script. Thanks.
0

One way to tackle this would be to add a parameter for your script to pass the release variable in when you call it, something like -secretValue $(nameOfTheSecretInKeyVault)

You should be able to use $env:nameOfTheSecretInKeyVault, but remember . become _

EDIT: Looking at your question again if you used env:$nameOfTheSecretInKeyVault you would have had an issue. It's $env:<variable_name>

Improve this answer

Comments

0

If anyone comes across this in the future and is looking for a bash alternative, I ended up being able to do this with the following command

$(az keyvault secret show --name "${secret_name}" --vault-name "${vault_name} --query "value" | sed "s/\"//g")

This let's you get the value of the vault secret and use it wherever. The sed at the end is needed to drop the " that gets pulled out from the query

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.