Dynamicallly get KeyVault secret in Azure DevOps Powershell script

2
votes

We have an Azure Key Vault task in our release pipeline which downloads some secrets for use in the stage.

In an Inline Azure PowerShell script you can just use the following to get the secret value:

$secretValue = $(nameOfTheSecretInKeyVault)

This works fine.

However we want to move to using scripts in the repo, i.e. poiting the DevOps task to a file path i.e. /somePath/myScript.ps1

So I would need to parameterise the above line of code, as I cannot just change the name in the inline script like I'm currently doing, but I can't get it to work.

I have tried:

$compositeName = "${someParameter}-Application"
$secretValue1 = $($compositeName)
$secretValue2 = $("${compositeName}")
$secretValue3 = env:$compositeName
$secretValue4 = $(${compositeName})

The top line is just building up the name of the secret which it needs to look for. Unfortunately none of these work. Attempt #1, #2 and #4 come back with the string name only, not having actually got the secret value, and #3 errors saying it doesn't exist.

Is there a way to achieve this, or do I simply need to parameterise the secret and pass it into the script from the ADO task?

5
azureazure-devopsazure-powershell

5 Answers

2
votes

As you, I couldn't figure out a way to access the variables the log mentions are loaded in the Download secrets task of the job. It did work in inline mode, but not a chance with a script file.

So instead I leveraged the existing wiring (variable group linked to my KeyVault) and just run the command myself at the start of my script:

$mySecretValue = (Get-AzKeyVaultSecret -VaultName "myVault" -Name "mySecret").SecretValueText

From there I could use it as any other variable.

2
votes

Either run your KeyVault tasks first, before your PowerShell script, or do it all in PowerShell.

You will need to create a service connection to your Azure subscription from Azure DevOps. Allow the service connection to access the KeyVault. Access the KeyVault from PowerShell or Azure CLI.

E.g. for PowerShell:

(Get-AzKeyVaultSecret -vaultName "Contosokeyvault" -name "ExamplePassword").SecretValueText

Here is a detailed walk through.

0
votes

There is also native key vault integration now so you can just have your keys read in as a variable group transparently, no Keyvault-specific powershell code required.

https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault

0
votes

One way to tackle this would be to add a parameter for your script to pass the release variable in when you call it, something like -secretValue $(nameOfTheSecretInKeyVault)

You should be able to use $env:nameOfTheSecretInKeyVault, but remember . become _

EDIT: Looking at your question again if you used env:$nameOfTheSecretInKeyVault you would have had an issue. It's $env:<variable_name>

0
votes

If anyone comes across this in the future and is looking for a bash alternative, I ended up being able to do this with the following command

$(az keyvault secret show --name "${secret_name}" --vault-name "${vault_name} --query "value" | sed "s/\"//g")

This let's you get the value of the vault secret and use it wherever. The sed at the end is needed to drop the " that gets pulled out from the query