How to read multiline Azure Key Vault secret in Azure Devops Release pipeline

1
votes

I'm having trouble using a multiline Azure Key Vault value inside an Azure Release Pipeline...

I put a multiline value (RSA private key) into Azure Key Vault using the CLI:

az keyvault secret set --vault-name "vault" --name "secret" --file "pk.pem"

This works and I can see the multiline secret in the portal.

Locally using CLI I can also do:

pk=$(az keyvault secret show \
--name "ssh-private-key" \
--vault-name $vault \
--query "value")

This returns a somewhat crappy value (yes including the double quotes):

"-----BEGIN RSA PRIVATE KEY-----\nMIIG4wIBAA .... JtpyW\n-----END RSA PRIVATE KEY-----\n"

I can manage to work with this and send the value to a file like so:

pk="${pk%\"}" #remove first quote
pk="${pk#\"}" #remove last quote


echo $pk | sed 's|\\n|\n|g' | # replace with actual newlines
while IFS= read -r line; do   # loop through lines
  echo "$line" >> pk.pem      # write to file per line
done

This works and I can login to my server using ssh -i pk.pem user@server

But when running the same script in the Azure Devops Release pipeline (also using Bash on a Linux agent) the exact same script fails... I'm also having trouble inspecting the actual value as the log masks all values related to the secret...

Azure Devops Release Pipeline

Any guide on how to debug or work with actually reading multiline values instead of just storing them would be hugely appreciated!

1
azure-devopsmultilineazure-keyvaultprivate-key

1 Answers

1
votes

Here is a troubleshooting advice:

The error "Host key verification failed." doesn't just occur when the key is incorrect. Most of the time, it doesn't refer to your key.

So I recommend you firstly try the connection with a simple value to see if it works on Azure DevOps.

What's more, maybe an SSH service connection can help you with what you're doing. Go to Project Settings -> Service connections -> Create service connection -> SSH to create one.