KeyVault Secret to DevOps - Python

0
votes

I have a Azure keyvault defined with secrets which i can access in devops build pipeline using "Azure KeyVault" task. Now i need to pass the secret variable to python inline script.

Since it is encrypted, python cannot read the value directly. How can i decrypt and pass them. The secret holds Databricks Access token. We are trying to create Databricks cluster using DevOps pipeline.

My Yaml has following tasks

  1. Azure KeyVault
  2. Powershell to convert secret to variable - https://github.com/Microsoft/azure-pipelines-tasks/issues/8345
  3. Python inline script with argument. For the arguement, i tried with actual secret name as $(secretname) and it printed ***. Then i tried converting to refer the environment variable created in powershell and python passed the variable name as is.

I tried the following.

  1. Use powershell to convert from secrets to environment variable. I tried to first convert secret to variable using this link - https://github.com/Microsoft/azure-pipelines-tasks/issues/8345 . When called in python as arguement, instead of passing the secret value it passed the name of the variable with the $ symbol inside python.

  2. We do not want to use variable groups due to some restrictions

Edit: Updated to add more details.

1
azureazure-devopsazure-pipelinesazure-keyvaultazure-databricks
Actually, the data is encrypted at rest and in transit, whenever you USE the value inside the Pipeline it should be visible to your Python code but not visible for printing exhibiting on the output screen. let me know if this works for you.Roberto Borges
But this also is throwing some error. If you want help resolving an error, the most important thing you can do is tell people what the actual error is.Daniel Mann

1 Answers

1
votes

The task can be used to fetch the latest values of all or a subset of secrets from the vault, and set them as variables that can be used in subsequent tasks of a pipeline

As it is described above for azure keyvault task. You can directly use the secrets from in azure keyvault by wraping them in "$(secretname)" in the python scripts. You donnot need extra powershell task to convert it to environment variable.

When you print it out in the console, it will be encrypted and output "***" for security reason. But the actual value of the secret is visible to your code.

I test with below example python script to confirm that the secret value can be accessed in the python script.

enter image description here

I created a test keyvault with a secret named "Password" and its value is "123456789". The the python script task out "111111" in the console, which confirms that the secret is visiable to python script.

enter image description here

You can follow the detailed steps in this document to use the secret from keyvault.