stackoom
  简体   繁体   中英

Referencing Azure Key Vault secrets from CI/CD YAML

 原文  2020-09-21 12:41:04       azure/ azure-pipelines/ azure-keyvault/ azure-yaml-pipelines

Question

We have a multi-stage YAML pipeline that does CI/CD to an existing set of Azure Resources

The stages are

  1. Build
  2. Deploy to Development and Run Tests
  3. If Previous succeeded - Deploy to Production and Run Tests

We use the AzureRmWebAppDeployment task during the deployment stages and we use the AppSettings argument to that task to specify environment-specific settings. For example

- task: AzureRmWebAppDeployment@4
      displayName: 'Deploy Azure App Service'
      inputs:
        azureSubscription: '$(azureSubscriptionEndpoint)'
        appType: '$(webAppKind)'
        WebAppName: 'EXISTING__AZURE_RESOURCENAME-DEV'
        Package: '$(Pipeline.Workspace)/**/*.zip'
        AppSettings: >
          -AzureAd:CallbackPath /signin-oidc
          -AzureAd:ClientId [GUID was here]
          -AzureAd:Domain [domain was here]
          -AzureAd:Instance https://login.microsoftonline.com/ 
          -AzureAd:TenantId [Id was here]
          -EmailServer:SMTPPassword SECRETPASSWORD
          -EmailServer:SMTPUsername SECRETUSERNAME

There are two settings in that set, EmailServer: SMTPUsername and EmailServer: SMTPPassword that I want to pull from an Azure KeyVault. I know how to reference the KV secret from Azure Portal using the syntax

@Microsoft.KeyVault(SecretUri=https://our.vault.azure.net/secrets/SendGridPassword/ReferenceGuidHere)

but how do I reference the value from the YAML pipeline so it is set in Azure?

2 answers

solution1
 3 ACCPTED  2020-09-21 13:38:03

As pointed out by Thomas in this comment, Referencing Azure Key Vault secrets from CI/CD YAML

I can explicitly set the value in the YAML file like this:

-EmailServer:SMTPPassword @Microsoft.KeyVault(SecretUri=https://our.vault.azure.net/secrets/SendGridPassword/ReferenceGuidHere)

solution2
 1  2020-09-21 13:52:14

You need to set an AzureKeyVault@1 task with RunAsPreJob to true, this will make your key vault values available as CI/CD jobs environment variables so you can use it as $(KEY-OF-SECRET-VALUE) on the rest of your stages in the job.

The following piece of yaml file is a working example. We set for python unittest a set of env variable provided from Azure key-vault

trigger:
  batch: true # disable concurrent build for pipeline
  branches:
    include:
    - '*'  # CI start for all branches

pool:
  vmImage: ubuntu-16.04

stages:

- stage: Test
  jobs:
  - job: sample_test_stage
    steps:
    - task: AzureKeyVault@1
      inputs:
        azureSubscription: 'YOUR SUBSCRIPTION HERE'
        KeyVaultName: 'THE-KEY-VAULT-NAME'
        SecretsFilter: '*'
        RunAsPreJob: true
    - task: UsePythonVersion@0
      inputs:
        versionSpec: '3.7'
    - script : python -m unittest discover -v -s tests
      displayName: 'Execute python unittest'
      env: { MY-ENV-VAL-1: $(SECRET-VALUE-1), MY-ENV-VAL-2: $(SECRET-VALUE-2)}

Note that sometimes you need to approve connection beetween AzureDevops and another Azure service like KeyVault

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Use secrets from Azure Key Vault in ADF How to get the Azure key vault secret URI for CI/CD deployment? Azure Key Vault Secrets Query triggering python azure function getting secrets from key vault Get All Secrets from Azure Key Vault with prefix How to map Azure Functions secrets from Key Vault automatically VSTS JSON variable substitution with secrets from Azure Key Vault Get secrets in Azure Key vault from api management? Create new keys and secrets in Azure Key Vault Azure Key Vault - How to update the secrets
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM