I see that in Azure release pipelines, we can read secrets either by creating a key vault based variable group in library or by using the task "Azure Key vault" in pipeline. Both of them do the same thing i.e. reading the secret value from the key vault, with a difference that we can link variable group with multiple pipelines, and the "Azure Key vault" task would remain confined to one pipeline.
I want to understand what is the best practice while reading secrets from Azure key vault in release pipelines. Which of the two approaches is recommended here and why?
Which of the two approaches is recommended here and why?
Reusability is the biggest difference between them, and it is also the basis for you to decide which way to choose.
If you confirm that your job is a one-time job, then you can choose Azure key vault task. In this case, you do not need to configure the variable group in library and link the library to the release pipeline.
But if you need to reuse it or plan to reuse it in the future, then choose variable group in library, so that you do not need to add the Azure key vault task in each pipeline.
But would you recommend going with pipeline variables when we already
have these secrets in Azure key vault. Will that not duplicate these
secrets in Azure Key Vault and pipeline variables in that case.
I do not recommend that you use those variables that have been set in Azure key vault in pipeline variables. Because the variable in the pipeline will overwrite the value of the variable you set in Azure key vault.
Related
I am trying to create and manage Azure Keyvault Secrets using the Azure Service Operators.
I can see the options to create and manage the Keyvault certificate using the kind: KeyVaultKey. However, I am wondering how I can create and manage secrets using the Azure Service Operators.
Is there any lead on this?
Appreciate the help..!
The Azure Key Vault operator suite consists of the following operators:
• KeyVault - Deploys an Azure Key Vault given the location and resource group
• KeyVaultKey - Deploys an Azure Key Vault key given the location and resource group
The KeyVaultKey operator serves as an operator that allows for declarative management of Key Vault keys - one of the three resources available for storage and management in Key Vault; keys, secrets, and certificates. Keys can be leveraged for various use cases.
You can find sample code Here
Reference for Azure service operator
Note: Azure service operator is still under development
I have configured the Diagnostics Extension on my Azure cloud project so that I can collect the IIS logs and publish them to a storage account on azure.
However, I do not want to store the secret key of the storage account in the cscfg file, so I unchecked the "Don't remove storage key secret from project configuration (.cscfg) file". Please check the following.
I want to store the key of the storage account in the azure vault and I want Azure to pull the key from the azure vault while configuring the diagnostics extension during publishing of the code.
The code is published via Devops yaml pipeline.
Is there any way to instruct the Azure pipeline to read the storage account key from Azure vault and use it for configuring the diagnostics extension during publishing code?
You need to use "Variable groups" feature of Azure Devops to link secrets from key vault into your pipeline, and forward them to your task.
Add secret to key vault
Create service connection in AzureDevops with permissions to access key vault
Create variable group and link secrets from key vault
Link variable group created in previous step into your .yaml pipeline
Any secret from variable group is accessible from within the pipeline like $(VariableName).
More information here.
Looking for a way to access keyvault secrets in the invoke Azure function activity in a YAML template,
The secret from the keyvault is the url for the azure function that I want to invoke in the yaml task.
The Issue is Task Invoke Azure function can only be done on a serverless agent but the keyvault secrets cannot be read in the serverless agent.
I have tried to set the variables as required dependency but that is not working. I have linked variable groups to the task the serverless agent is not able to access those secrets, I have also tried to re-assign values to global variables with keyvault secrets in a hosted agent and then invoke azure function, but that also does not work.
Is there a specific way to do this?
I am looking to deploy Azure function by using Terraform, in the same way which is mentioned here in the Ms docs.
https://learn.microsoft.com/en-us/azure/azure-functions/deployment-zip-push
One of my need to store and Storage SAS key to Key Vault. I have seen some exmaple where we can below setting is used, but I can't use sas key without storing to Key Vault.
WEBSITE_RUN_FROM_ZIP = "https://${azurerm_storage_account.this.name}.blob.core.windows.net/${azurerm_storage_container.this.name}/${azurerm_storage_blob.this.name}${data.azurerm_storage_account_sas.this.sas}"
Any suggestion?
Thank you !
For this requirement, you can use the Key Vault reference to get the secrets to the Azure Function like this:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Or
#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
But this means only support system-assigned managed identities. So you need to enable the system-assigned managed identity and assign the right role of the Key Vault to it. Here is more details.
I'm doing an Azure App Service Deploy (ASP.NET Core 2.0 Web Api) in Visual Studio Team Services and want to replace some values in the appsettings.json so I read https://learn.microsoft.com/en-us/vsts/build-release/tasks/transforms-variable-substitution#jsonvarsubs, but they talk about substituting values in nested levels of the file, by concatenate the names with a period (.).
Problem is that you can't use periods (.) in an Azure Key Vault.
Does anyone know how to substitute variables with nested levels in an appsettings.json file using Secrets from the Azure Key Vault?
I ended up using 'ConnectionStrings--Database' as Secret key in Azure Key Vault.
Then adding a 'Variable Group' in VSTS (https://learn.microsoft.com/en-us/vsts/build-release/concepts/library/variable-groups) linking to the Azure Key Vault.
And add a 'Process Variable' called ConnectionStrings.Database with a value of '$(ConnectionStrings--Database).
That way it replaces the value of your 'Process Variable' with the value from the Azure Key Vault and it uses the name of the 'Process Variable' to replace in the appsettings.json.
[moved from comment to answer] I used an ARM template for setting appsettings from the keyvault. Create an ARM template which provisions the web app and read the values from the keyvault and uses the values for setting the appsettings. You can read them from the keyvault via the .parameters.json file or use a nested template. In this way you can keep using periods (.) In the appsettings and have a different keyname in the keyvault.