11

We have certain functional tests that rely on some secrets. Those secrets are obtained from a Azure Key Vault (AKV). To connect from build agent, I am using environment variables and AzureIdentity.

I set those env variables on the build agent machine using powershell. When I use non-secret pipeline variables everything works, but when I switch to a secret pipeline variable for AZURE_CLIENT_SECRET, the authentication starts to fail.

I tried the approach of using a script to set the environment variable from secret pipeline variable, but it does not work.

I also tried the approach mentioned here but that does not work either.

Any suggestions on how to set an environment variable using secret pipeline variables?

Improve this question

2 Answers 2

Reset to default
16

ANy suggestion on how to set an environment variable using secret pipeline variables?

If you set secret variable in below pipeline. enter image description here

And then use the script's environment or map the variable within the variables block to pass secrets to your pipeline like below script. See: Set secret variables for details.

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
  env:
    MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable

If you use Azure Key vault variable, we create a secret variable(PAT) in below Azure key vault. enter image description here

So we can link secrets from an Azure key vault in variable group, as below. enter image description here

Now we can use this variable group in below script. See: Reference secret variables in variable groups for details.

variables: 
- group: 'AKVgroup' # variable group

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
  env:
    MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable

The other way is using Azure Key Vault task like below script. See: Use secrets from Azure Key Vault in Azure Pipelines for details.

- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'ARM'
    KeyVaultName: 'edwardkey'
    SecretsFilter: '*'
    RunAsPreJob: true

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
  env:
    MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Edward, I am not using the AZKV task because that is limited to build pipeline. I already mentioned in the question that the approach mentioned in SetSecretVAriables document is not working. I also cannot use variable groups because I do not want that variable to be available for other pipelines.
If your secret variable is stored in Azure key vault, using variable group is the recommended way to manage it. And you could uncheck the "Allow access to all pipelines" option in variable group so other pipelines cannot access to this variable group, and follow this doc learn.microsoft.com/en-us/azure/devops/pipelines/library/… to manage variable group permission.
@EdwardHan-MSFT This is really the best full answer out there thanks, just wish there's a way to "import" multiple secrets at once so we can parameterize this.. and share the "extract secrets" portion across multiple repos
0

If you explicitly pass the secret to the script as a parameter then the scrip will have access to it. If you want to then use that to set an environment variable for use in later scripts you'll can use a different environment variable name and have the script publish that you want it available in subsequent scripts. That sort of defeats the purpose of it being secret but if thats what you want.

Improve this answer

1 Comment

Simon, I am not using them later in the script in yml file but in the service startup code for functional tests. Default identity looks for the environment variables as mentioned here :learn.microsoft.com/en-us/dotnet/api/overview/azure/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.