Azure-devops-docs: Provide documentation on how to pass Azure Key Vault secrets into this task

@N-Usha - can you please take a look?

When you use Variable group linked with a Azue KV in a release pipeline, a task variable is created with the latest value of the respective secret fetched from Azure key vault. This variable is then available in subsequent tasks. And this is true with Azure CLI task as well which you could use in the script or pass in the "Arguments" field. Could you please confirm if that helps. Thanks

This doesn't work for me... the value is passed as "*"

When you use Variable group linked with a Azue KV in a release pipeline, a task variable is created with the latest value of the respective secret fetched from Azure key vault. This variable is then available in subsequent tasks. And this is true with Azure CLI task as well which you could use in the script or pass in the "Arguments" field. Could you please confirm if that helps. Thanks

You've just described the problem. This doesn't work. The value is passed as "*"

Hi, Thanks, yes it is working. the * is just devops masking the actual value in the output. Thanks again.

Just my $.02, but I think the original purpose of the OP is still very valid and needed. All the docs for this feature basically say "Pull your secrets and they'll just work later down the line", but that's not the case for complex, multi-stage pipelines. If someone were to take the time to do a write up on how to use this with multiple stages and things like SQL script deployments that would be invaluable.

Edit:
As this suggests my issue ended up being nested variables: https://stackoverflow.com/questions/56795483/azure-devops-release-pipeline-variable-nested-composed-expression
I'm not sure how to submit a request to get that working; nested variables are pretty necessary in this kind of thing. Various articles suggest something like $(variable1_$(variable2)) should work as well. Should probably get support for that rolled in.

Edit 2:
This was a great article with a reasonable workaround for nested vars: https://stackoverflow.com/questions/56194458/is-it-possible-to-conditionally-set-the-artifact-name-in-my-azure-devops-build-p/56215166#56215166
One other thing that's noteworthy. These don't persist properly from job to job, so make sure your powershell step and deploy step are in the same job.

Hi,

Using KV Secret on "Azure SQL Task" Inline Script doesn't work.
E.g.
this is the Azure SQL Task Inline Script;
"
CREATE USER username WITH password='$(db-password)';
ALTER ROLE db_owner ADD MEMBER username;
"

The $(db-password) is the value stored in the key vault, but it doesn't expand properly.
I've tried creating a new variable on a previous step in a powershell task with that value;

"
write-host "##vso[task.setvariable variable=dbpassword;isSecret=false;]$(db-password)"
"

… but still not working.

¿any suggestions?

Thanks,

@evmimagina - Can you please clarify how are you fetching secrets from KV? Can you please refer to our docs for Variable groups linked with Azure Key Vault and confirm if that helps your scenario.

Hi @N-Usha,

I'm fetching secrets from an Azure Devops task using this sort of task;
https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureKeyVaultV1/README.md
I'm not using variable groups, ence, the documentation you provide me doesn't clarify me anything regarding the issue I have… I rather not using variable groups or connecting Azure Devops to the KV directly, as I'm provisioning the KV on previous tasks using Terraform.

For the time being I have a work around for this exacctly scenario the "Azure SQL In-line Script", I execute the following powershell task:

"
steps:

• powershell: |
  write-host "##vso[task.setvariable variable=db-password;isSecret=false;]$env:secret"
  displayName: 'PowerShell Script - WA Parse DB pass'
  env:
  secret: $(appdbowner)
  "

Now I'm trying to fetch secrets for a Bash Script task, the WA I've applied for the previously described scenario doesn't work in this case :(

The point is, in my opinión, it's a nightmare to try to use secrets from Azure Devops service using the "Azure Key Vault Task"… Any help on these scenarios please?

Many thanks and best regards,

@evmimagina I can figure out one way where you have your KV managed by Terraform and still use AzureKeyVault task to download secrets for inline sql script without explicitly linking, by using Service Principals. Following are the steps I followed to get this working

• One time setup:

1. Create a Service principal using az cli: az ad sp create-for-rbac -n <some name> . The output will be of the following format:
   { "appId": "<guid>", "displayName": "name", "name": "http://name", "password": "<guid>", "tenant": "<tenantid>" }

2. Using appId from previous output execute the command: az ad sp show --id "appId" --query "objectId". Output will be a GUID . We will define an access policy in terraform configuration for this objectid to have required permissions to read from KV. At minimum _"get"_ and _"list"_ permissions are needed on the required type i.e, keys, secrets or certificates.

3. Using the information from Step 1, create a new Service connection of type Azure Resource Manager in ADO. Click on "use the full version of service connection dialog" and select "Allow all pipelines to use this connection" as shown.

• Pipeline and Terraform file.

I have used the following tf file and pipeline yaml to deploy KV using terraform tasks and create the user. It is not necessary for KV to exist before the pipeline executes. I have my tf file as _srcroot_/terraform/main.tf . Please change the path as it suits. Files are renamed to txt to allow uploads. In the KV task use the name of service connection created in Step 3 of One time setup as input to azureSubscription

1. azure-pipelines.yml
2. main.tf

Do Let us know if this works for you.