Assign Azure Key Vault Secret to Connection String for Devops Release Pipeline

2
votes

The usual way to create a connection string in appsettings.json is:

{    
  "ConnectionStrings": {
    "DefaultConnection": "Server=(local); Database=MyProperty; Trusted_Connection=True;"
  }
}

I want to replace the connection string value with my QA database within a DevOps Release Pipeline.

If I declare a Release Pipeline Variable in Azure Devops I can use the name ConnectionStrings.DefaultConnection, set it a value and it will inject the value into appsettings as part of the release as below:

ConnString

However if instead of the above, I want to use Azure Key Vault and I create a Key Vault secret, I can only create the secret name as DefaultConnection as period's are not allowed within the secret name and therefore the connection string does not get replaced with the secret value during the release. I presumed that if I could create a secret as ConnectionStrings.DefaultConnection it would work but we are not allowed to add special characters.

Even if I add Variable Group, it takes the secret name which cannot accept special characters as below:

enter image description here

Is there a way I can achieve this please?

2
azureconnection-stringdevopsazure-pipelines-release-pipelineazure-keyvault
Have you considered using a Managed Identity if possible (e.g. is your database hosted in Azure) instead of putting secrets in plain text in your application settings?Heath
Yes this is what I am trying to achieve using Azure Key Vault as per my question so that the values are retrieved from the vaultDan
That's not Managed Identity. See docs.microsoft.com/en-us/azure/app-service/… for an example using Azure SQL Server. A lot of services support assigning an identity which is easier and safer to managed than shared credentials (even if secret).Heath
Cool, thanks for the info!Dan

2 Answers

0
votes

There's no direct relationship between the secret name and the app settings / connection strings. You can name your secret as "avocado" if you want. What you need to do is define the right name only when setting the real app setting / connection string.

Here's a sample:

enter image description here

More info: Azure DevOps Variable Group not applying in Azure Function Configuration

EDIT: No, your secret can't be named in the same pattern (":" or "_" to separate words)

0
votes

Any secret that we want to access from Azure key vault say 'connString' can be accessed as a variable in the pipeline using the convention $(connString).

To access secrets from the Azure key vault in the Azure pipelines, there are two ways-

  1. In pipeline - Use the task "Azure key Vault" to get the particular secret or list of comma seperated secrets or you can get all the secrets too using the wildcard character in 'secrets filter'. Then using the above convention i.e. $(), use the fetched secret in the downstream tasks

  2. Create a key vault based variable group - A variable group can link to the Azure key vault and you can select the particular secrets you want to read in your pipeline. You can link one variable group with multiple pipelines.

In either of the case, you need to have sufficient permissions on the Azure key Vault which you can define in the "Access policies" blade in the Azure portal