Azure Key Vault Secrets within Azure DevOps Pipelines

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
let's learn in this video how to access azure key vault secrets using an azure devops pipeline azure key vault is used to secure our secrets like passwords database connection strings through using strong encryption those secrets then could be used by the devops pipeline or by our applications let's see how that works with pipelines so for the demo i have prepared a sample git repository where you have all the scripts to create the environment so first here what i have done is that i have created another keyboard instance and another keyboard secrets using this the azure cli tool you can do also this using the azure portal or any other tool so if you run this script you will have the azure keyboard instance and the seeker is already created and what i have also done is that i have set up the airbag rules so at the end this will give me another keyboard instance like this one that i have created on my own subscription that this is a keyboard instance that is actually using the airbag mode so this is important if you want to use keyboard for with other devops so here you make sure you choose the azure airbag rule-based access control mode which is the recommended way to use keyboard today so don't use give a volt access policy you can actually you can still use it but the new way is airbag so with airbag it means we can we should assign roles to the specific key vault instance and also specific rules for the secrets and that's what i have done actually if i go to access control after creating my instance i have assigned the roles so if i have if i go to role assignments from here i would see two roles that i have assigned one role i have assigned for myself which is keyword secrets officer this road allows me to create secrets and view their values so this is a role for someone who needs to manage the secrets and then i have created the second role for my spn for my because from azure develops i connect to the keyboard using a service principle so i have created a service principle in azure and then i have assigned the keyword secrets user to that service principle what is the difference here between the two roles so the first role is able to create secrets and define their values the second role is uh secrets user it cannot create secrets but can only read the values of the secrets defined by the admin so this is important if you have a devops team uh those persons can create the secrets and then your applications and your devops pipelines will use the second role in order to access and read these secrets and then i have created the secret itself so if i go here to secrets you would find here my database password secret and if i go there because now i'm using the airbag mode the secret itself can define its own its own airbag rules so here if i go to access control you would see that rule will be inherited by this secrets the two rules that i have defined earlier keyword secrets officer and the secrets user so and because i'm a secret officer so i can view the value of that secret if i click on it because i have the right access role i can click here show secret value and that is my secret password now i'll try to access this secret password from within my azure devops pipeline and here from within azure devops i have created a new project and then i have created a new pipeline that is this one so using the new pipeline button right here you choose a new pipeline then you select your git repository for me it was github and then i've selected my own repository and then i have created that pipeline um and i have of course modified that pipeline so the end result is this one of course this pipeline you will find it and the github repository if you go to this one you would find the same pipeline i'm using in this demo today so from here in this pipeline i'll trigger it to run on each commit and then it will run on vm image and then here i have the import the important uh steps which are here the step that is azure keyboard so this is a predefined action within azure devops so you get that by default within your azure devops subscription uh this uh for this task it needs a few just a few parameters so this is the task that will connect to the azure key vault and it will retrieve the secrets from there so to connect to azure keyboard it needs another subscription it needs access to the other azure subscription using the service connection and here i have selected one of my service connections sp and keyboard devops which i have created earlier for this demo so if you go here to service connections within your project you can go to create a new service connection specify the values subscription id subscription name service principle id and the service principle key and your tenant id and then it should be available from within your azure devops pipeline i have it here so that will allow me to access the uh azure keyboard and remember that was the service principle that i have assigned uh the role as key vault secrets uh user from within my azure subscription remember that very well that is the role right here and then because i have access to my azure keyboard then i can select my keyboard subscription or my keyboard instance right here and then i can filter on the secrets so if i use the star right here it means i can get all the secrets from within my keyboard if i want to get a specific secret then i can just write its name or if i want to retrieve only two or three i can use comma separated to get the different secrets i wanna get so in my case here i use the uh to i i wanna get all the secrets and in particular i would have the secret database password we have here an option that says make secrets available to whole project to the old job so this means if i get the secrets from this task those secrets will be available to all the tasks what that mean so by default if that's not enabled the secret will be available only to the task uh that is um below the azure keyboard task this means in my case here to be available only to the command line task it's not available to the copy files so and my what i'm doing here next is that i'm getting that secret using its name so uh azure keyword task will create an environment variable with the name of the password okay uh with the name of the secret that is database password okay so for that i have an environment variable to find it there so i get that value and i write its value into a file called secret.txt then i try to show the value of secret.txt and i'm doing this just to show that the value of the secret will not be shown on the console on the output console window on azure devops and that is nice security feature in order to secure these passwords so your pipeline cannot show the value of your secrets it can write it into a file right because maybe that's what you need to do to write the secret into a terraform or a narum template or to write it into a configuration file but not showing the value on the console and then next i'm just copying the file into a folder that's secret txt and then i'm uploading that file into the drop folder and run to azure artifact to view its value later so let's go to run this pipeline i go to click run run starting the job is scheduled so not here that pre-job get secrets from keyboard was not running here because i didn't enable that that option from my pipeline so it will run after get secrets from key vault so first we'll download the source code and then it will go to get the secrets from key vault and it did get actually one secret did found one secret from my keyboard instance that is the database password and then here it's trying to write the secret into the console window and into the txt file and note here we don't get any value the value is um is not shown from the azure devops pipeline then it's copying the secret into file and publishing that file into the drop folder so now if i go back here i would see that secret into the drop folder i go right here yeah here it is so we have one published file if i go to access that drop folder i would see my secret.txt file and if i go to open it then yeah from here i can see the value of that secret file is my secret password that is the secret from within my azure my azure keyword instance i hope you liked this video thank you
Info
Channel: Houssem Dellai
Views: 19,350
Rating: undefined out of 5
Keywords: devops, azure devops, azure, ci/cd, continuous integration, continuous deployment, bicep, infra as code, iac
Id: 3IrzFrHn434
Channel Id: undefined
Length: 9min 36sec (576 seconds)
Published: Wed Mar 23 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.