Use Azure pipeline secret variable to set environment variables on build agent

0
votes

We have certain functional tests that rely on some secrets. Those secrets are obtained from a Azure Key Vault (AKV) and to connect from build agent, I am using environment variables and AzureIdentity.I set those env variables on the build agent machine using powershell. When I use non-secret pipeline variables, then everything works but when I switch to secret pipeline variable for AZURE_CLIENT_SECRET, the authentication starts to fail. I tried the approach of using a script to set the environment variable from secret pipeline variable, but it does not work. I also tried the approach mentioned here but that does not work either. ANy suggestion on how to set an environment variable using secret pipeline variables?

2
azure-devopsazure-pipelines

2 Answers

0
votes

If you explicitly pass the secret to the script as a parameter then the scrip will have access to it. If you want to then use that to set an environment variable for use in later scripts you'll can use a different environment variable name and have the script publish that you want it available in subsequent scripts. That sort of defeats the purpose of it being secret but if thats what you want.

0
votes

ANy suggestion on how to set an environment variable using secret pipeline variables?

If you set secret variable in below pipeline. enter image description here

And then use the script's environment or map the variable within the variables block to pass secrets to your pipeline like below script. See: Set secret variables for details.

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
  env:
    MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable

If you use Azure Key vault variable, we create a secret variable(PAT) in below Azure key vault. enter image description here

So we can link secrets from an Azure key vault in variable group, as below. enter image description here

Now we can use this variable group in below script. See: Reference secret variables in variable groups for details.

variables: 
- group: 'AKVgroup' # variable group

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
  env:
    MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable

The other way is using Azure Key Vault task like below script. See: Use secrets from Azure Key Vault in Azure Pipelines for details.

- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'ARM'
    KeyVaultName: 'edwardkey'
    SecretsFilter: '*'
    RunAsPreJob: true

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "Using the mapped env var for this task works and is recommended: $env:MY_MAPPED_ENV_VAR"
  env:
    MY_MAPPED_ENV_VAR: $(PAT) # the recommended way to map to an env variable