Adding Azure Key Vault secrets in Azure Pipelines

Azure Key Vault enables us to securely store and manage secrets such as API keys, credentials or certificates. In this article we will see how to add vault secrets (those are required during build/restore processes) in Azure pipelines.

Prerequisites

1. An Azure DevOps organization. If you don't have one, you can create one for free (https://learn.microsoft.com/en-us/azure/devops/pipelines/get-started/pipelines-sign-up?view=azure-devops).
2. An Azure subscription. Create an Azure account for free (https://azure.microsoft.com/en-us/free/?WT.mc_id=A261C142F) if you don't have one already.
3. A key-vault already created say "pipelineskeyvault7954"

Creating a new pipeline and adding key-vault task into it (Here are steps with UI mode without YAML)

1. Select Pipelines, and then select New Pipeline.
2. Select Use the classic editor to create a pipeline without YAML.
3. Select Azure Repos Git, and then select your repository and default branch. Select Continue when you are done.
4. Select the .Net Desktop pipeline template.
5. For key-vault example, we will only need the last two tasks from the template. Press CTRL and then select the first five tasks, right-click and choose Remove selected tasks(s) to delete them.
   
6. Select + to add a new task. Add the Command line task and configure it as follows:
   1. Display name: Command Line Script. 
   2. Script: echo $(Your-Secret-Name) > secret.txt
      
7. Select + to add a new task. Add the Azure Key Vault task and configure it as follows:
   1. Display Name: Azure Key Vault 
   2. Azure subscription: Select your Azure subscription from the list, and then select Authorize. 
   3. Key vault: Select your key vault Secret filter: A comma separated list of secret names or leave * to download all secrets from the selected key
      
8. Select the Copy files task and fill out the required fields.
   
9. Select the Publish Artifacts and keep the default settings.
   

Note: Don't save or queue your pipeline just yet. We must first give our pipeline the right permissions to access Azure Key Vault. Keep your browser tab open, we will resume the remaining steps once we set up the key vault permissions.

Setting up Azure Key Vault access policies

In order to access our Azure Key Vault in pipeline, we must first set up a service principal to give access to Azure Pipelines.

1. Navigate to Azure portal.
2. Use the search bar to search for the key vault you created earlier.
   
3. Under Settings Select Access policies.
4. Select Add Access Policy to add a new policy.
5. For Secret permissions, select Get and List.
6. Select the option to select a service principal and search for the one you created in the beginning of this section. A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources.
7. Select Add to create the access policy, then select Save when you are done.

Run and review the pipeline

1. Return to the previous tab where we left off.
2. Select Save, and then select Save again to commit your changes and trigger the pipeline. You may be asked to allow the pipeline access to Azure resources, if prompted select Allow. You will only have to approve your pipeline once.
3. Select the CmdLine task to view the logs.
   
4. Return to pipeline summary and select the published artifact.
   
5. Select the secret.txt artifact to open it.
   
6. The text file should contain our secret: mysecretpassword.