Azure Key Vault is a powerful service provided by Microsoft Azure that allows you to securely store and manage sensitive information such as API keys, passwords, and connection strings. Azure Pipelines, on the other hand, is a versatile CD platform offered by Azure. By integrating Azure Key Vault secrets into Azure Release Pipelines, you can enhance the security of your CD processes and ensure that sensitive information is protected.

In this blog post, we will guide you through the process of leveraging Azure Key Vault secrets in Azure Release  Pipelines, enabling you to securely retrieve and use them in your CD workflows.

Prerequisites

  1. Azure Subscription.
  2. Azure DevOps Organization

Table of Contents

  1. Setting up Azure Key Vault
    • Create an azure key vault in Azure Portal
    • Add Secret in the key vault
  2. Create Azure Service Connection in DevOps
    • Setting up Service Connection in Azure Pipeline
    • Linking Service Connection to key vault 
  3. Retrieve key vault value in Azure Release Pipeline Variable
    • Create Variable Group In Library and Add Variables from Key Vault.

Setting up Azure Key Vault

  • Create an azure key vault in Azure Portal
    • From azure portal in search Box type  Key Vault 

    • On the Key Vault Section Click on Create.

    • Now Create Key Vault Resource by filling all required fields.
    • After complete creation process click on Key vault resource which one create recently and it’s look like as below screenshot

  • Add Secret in the key vault
    • Open key vault resource created in above step
    • Click on Secrets option in left side menu panel
    • Click on the Generate button at top left to generate new secret and provide necessary information.

Create Azure Service Connection in DevOps

  • Setting up Service Connection in Azure Pipeline
    • Open DevOps Organization in which you want to grab secrets.
    • Now open Project Settings > Pipelines > Service Connections.

    • Click on New service connection at top right side of page
    • Select Azure Resource Manager > Next

    • Provide the following parameters and create connections.
      • Subscription
      • Resource Group
      • Connection Name
  • Linking Service Connection to key vault (give security Permission)
    • Open Azure Portal and move towards your Key Vault
    • At left menu click on Access Policies

    • click on Create to create Access Policy
    • In Configuration from template select Secret Management
    • Grant Permission for Get & List from Permission section click next button

    • Now select Application for your Azure DevOps Subscription and complete process.
    • Retrieve key vault value in Azure Release Pipeline Variable (see the next section)

Retrieve key vault value in Azure Release Pipeline Variable

  • Create Variable Group In Library and Add Variables from Key Vault.
    • Go to project in DevOps > Pipelines > Library

    • Create Variable Group
      • Provide Variable Group Name & description 
      • Turn on Radio button of  “Link secrets from an Azure key vault as variable” (bubble point 1 in below image)
    • Provide necessary information about Azure Subscription & Key Vault Name

    • Click on Add at bottom to add secrets as variables (bubble point 2 in the above image).
    • Now you can use this variable in your release pipeline to replace value in config or appsetting file during deployment.

Conclusion

Integrating Azure Key Vault secrets into Azure Release Pipelines provides a secure and convenient way to manage sensitive information during your CD processes. By following the step-by-step instructions outlined in this blog post, you can leverage the capabilities of Azure Key Vault to safeguard your secrets and avoid exposing them in your pipeline configurations or source code. With this approach, you can enhance the overall security posture of your applications and ensure the confidentiality of critical information.

Mr. Hitesh Jariwala