3

I'm using the AzureKeyVault task to retrieve a secret from the Key Vault. The name of the secret is StorageAccountKey. This name is stored in the variable KeyName. I do it like that

- task: AzureKeyVault@1
  displayName: 'Get key'
  name: GetKey
  inputs:
    azureSubscription: '${{ parameters.azureSubscription }}'
    KeyVaultName: '$(KeyVaultName)'
    SecretsFilter: '$(KeyName)'

Now, in a subsequent task, I would like to access the secret. How would I do that, given that the name of the secret is itself stored in a variable? The following seems not to work

- task: Bash@3
  displayName: Create container
  inputs:
    targetType: 'inline'
    script: |
      az storage container create \
          --name raw \
          --account-name storageaccountname \
          --account-key $($(dataLakeAccountKeyKeyName))
    failOnStderr: true

I'm getting the error

/mnt/azp/azp-linux1_5/_temp/6719378a-b3ee-45d8-aad8-4f6a5e8b581e.sh: line 1: StorageAccountKey: command not found
ERROR: az storage container create: error: argument --account-key: expected one argument

So, it does seem to resolve the inner variable but still fails.

Improve this question
1
  • Hi friend, any update for this issue? Please check if Kontekst's answer helps to resolve your issue. As i know, no matter you use Azure Key Valut task or use Variable Group way, you can then use $(SecretName) to get the value after them. Let me know if the issue persists :) Commented Jan 1, 2020 at 10:02

3 Answers 3

Reset to default
3

I also struggled to get this done and this has worked for me:

steps:
  - task: AzureKeyVault@1
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      KeyVaultName: ${{ parameters.azureKeyVaultName }}
      SecretsFilter: '*'
      RunAsPreJob: true

  - bash: |
      #I can now use ${GCP_CREDS}
    displayName: GCP auth
    env:
      GCP_CREDS: $(${{ parameters.azureKeyVaultCredentailsKey }})
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try using:

--account-key $(StorageAccountKey)

From "Azure Key Vault task" documentation:

Values are retrieved as strings. For example, if there is a secret named connectionString, a task variable connectionString is created with the latest value of the respective secret fetched from Azure key vault. This variable is then available in subsequent tasks."

So if you access secret named in azure key vault "StorageAccountKey" then Azure DevOps creates from this place variable called "StorageAccountKey".

Improve this answer

Comments

0

not sure you got the answer for the question, but yes, if you know the keyvault's keyname is StorageAccountKey then when keyvault task finished, just use the variable $(StorageAccountKey) directly from the powershell script.

az storage container create \
          --name raw \
          --account-name storageaccountname \
          --account-key $(StorageAccountKey)

or, I am not sure if its feasible, as sometime it does not allow the same syntax to be executed. maybe try this if you need to insist using variable assume the variable keyname is the secret key that present the string value storageaccountkey

az storage container create \
          --name raw \
          --account-name storageaccountname \
          --account-key $((Get-Variable -name $KeyName).Value)

as this was tested under some sample ps program

$mm = 'bb'
$bb = "aa"

Write-Output "$((Get-Variable -name $mm).Value)"

the output result is aa for the above code.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.