I'm using a pipeline to deploy function app to azure, in my code I have to use certificate server uri(key vault reference in config file) to get permission.How can I get the Secret Identifier value as a variable when deploy to app services.I just want to deploy this variable from keyvault in pipeline automatically.
Here I'm using Azure keyvault Task:
steps:
- task: AzureKeyVault#1
displayName: 'Azure Key Vault: KV-Secrets-Dev'
inputs:
azureSubscription: 'Azure: DEV'
KeyVaultName: 'KV-Secrets-Dev'
and them deploy funtion app with appsettings:
-clientCertificatePfx #Microsoft.KeyVault(SecretUri=$(spdevpfx))
here I can get the certtificate valut from $(spdevpfx),but I just want it as a server URI,how to get it?
You are not able to get the Secret URI with Azure KeyVault Task in Azure DevOps. Explained in the official documentation:
Use this task in a build or release pipeline to download secrets such
as authentication keys, storage account keys, data encryption keys,
.PFX files, and passwords from an Azure Key Vault instance. The task
can be used to fetch the latest values of all or a subset of secrets
from the vault, and set them as variables that can be used in
subsequent tasks of a pipeline.
Workaround
You may use the Azure PowerShell task to get the id of your secret. And then pass it to the next task by setting it to an environment variable.
Related
There are many questions similar to mine, but I hit a wall finding what I want, please help.
I am running Azure Dev ops pipeline within the organization "MyOrganization" and in the project "MyProject". The service connection or subscription I am connected to is "Subscription-Id" (something like this: abc123-def456..xyz3265)
Pipeline has several tasks.
The first task is a powershell taks that creates Azure Resource Group and then an Azure Key vault. (NewKeyVault)
Second task, will scan another existing key vault (SourceKeyVault) and copy its secrets into the NewKeyVault. I know how to do this and it works just fine when I run the powershell tasks from within my PCwhen I explicitly log in with my log in to azure.
Howerer, here when ran under Azure Dev Ops pipleline, I get error that the "logged in" user has no permissions to Create, get list, etc.. to the secrets.
I want to automatically assign access policy to newly created key vault.
If using the web portal, I can see the Devops as a registered application and can do it. I don't know how to access it from within power shell task within the devops running pipeline.
Based on your expectation, you may consider using the Azure CLI pipeline task, where you can run az keyvault set-policy command to configure keyvault access policies for specific user.
az keyvault set-policy -n $(TheAzureKeyVaultName) --secret-permissions get list --object-id $(UserPrincipalGUID)
See more information on az keyvault set-policy.
steps:
- task: AzureCLI#2
displayName: 'Azure CLI '
inputs:
azureSubscription: 'ARM_Svc_Cnn_Auto_Sub1'
scriptType: ps
scriptLocation: inlineScript
inlineScript: 'az keyvault set-policy -n $(TheAzureKeyVaultName) --secret-permissions get list --object-id $(UserPrincipalGUID)'
This task requires to use the Azure Resource Manager service connection to authenticate and login Azure.
For the automatically created ARM service connection, you can use this API to find out which service principal that the ARM service connection is referenced to az login.
In my case, the ARM service connection is referencing the service principal MyDevOpsOrg-TheProjectName-MySubID which is the contributor of my target KeyVault (inherited from subscription) and has sufficient permission to set key vault access policy.
I was able to resolve an issue in a simple manner - I am using Azure Power shell
script that creates the key vault itself
New-AzKeyVault -VaultName $newKvName -ResourceGroupName $resourceGroupName -Location $location
(all the variables referenced with $ are arguments passed to the script)
And then I get the context for a logged in principal
(AzDevOps pipeline is a principal in itself, registered in Azure AD)
#This gives a context object, which has principal
#id as a property of.
$Context = Get-AzContext
Then I set that principal as access policy
Set-AzKeyVaultAccessPolicy -VaultName $newKvName -ServicePrincipalName $Context.Account.Id -PermissionsToSecrets Get,List,Set
I have an integration test that needs to access the cosmosdb in azure cloud. Locally I need to login to the azure and then run the test
az login
poetry run pytest test/integration
My question is how can I implement the equivalent of az login in the azure DevOps pipeline? Isn't the Azure DevOps Server is already connected to the Azure cloud naturally?
The recommended way to access resources in Azure is to create an Azure Resource Manager -type service connection from Project Settings -> Service Connections -> New Service Connection -> Azure Resource Manager -> Service Principal (automatic). Creating a service connection requires you to have sufficient rights to the target Azure Subscription.
A service connection is essentially a service principal that then needs to be authorized to access the resources needed. In this case, you'd have to grant this service principal the (absolutely minimal) access it needs in order to perform the tests.
I'm not an expert on Cosmos DB, but I do know that it supports multiple ways of securely accessing the data, so you might want to explore options like logging in with access keys as well. You can run Az Cli commands in pipeline with the Azure Cli task like this:
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: '$(azureSubscriptionName)'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az command parameters
With the service connection name in $(azureSubscriptionName) and actual command (s) with inlineScript (or reference a physical script if that's more suitable). Just remember that you are operating in Azure via the service connection/principal, so you need to grant that sufficient rights to do what needs to be done.
There are multiple ways to do this, so a bit of exploration is required. Also, there seems to be something called Cosmod DB emulator and you might want to check that out first - when running unit/integration tests, the best practice would be not having to access an actual resource at all.
(If you are actually running tests on Azure DevOps Server, and not Azure DevOps Service, there might be some additional obstacles I'm not aware of - haven't used the on-premises version in a while)
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops
https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key
https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
https://learn.microsoft.com/en-us/azure/cosmos-db/tutorial-setup-ci-cd
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-cli?view=azure-devops
I have configured the Diagnostics Extension on my Azure cloud project so that I can collect the IIS logs and publish them to a storage account on azure.
However, I do not want to store the secret key of the storage account in the cscfg file, so I unchecked the "Don't remove storage key secret from project configuration (.cscfg) file". Please check the following.
I want to store the key of the storage account in the azure vault and I want Azure to pull the key from the azure vault while configuring the diagnostics extension during publishing of the code.
The code is published via Devops yaml pipeline.
Is there any way to instruct the Azure pipeline to read the storage account key from Azure vault and use it for configuring the diagnostics extension during publishing code?
You need to use "Variable groups" feature of Azure Devops to link secrets from key vault into your pipeline, and forward them to your task.
Add secret to key vault
Create service connection in AzureDevops with permissions to access key vault
Create variable group and link secrets from key vault
Link variable group created in previous step into your .yaml pipeline
Any secret from variable group is accessible from within the pipeline like $(VariableName).
More information here.
Looking for a way to access keyvault secrets in the invoke Azure function activity in a YAML template,
The secret from the keyvault is the url for the azure function that I want to invoke in the yaml task.
The Issue is Task Invoke Azure function can only be done on a serverless agent but the keyvault secrets cannot be read in the serverless agent.
I have tried to set the variables as required dependency but that is not working. I have linked variable groups to the task the serverless agent is not able to access those secrets, I have also tried to re-assign values to global variables with keyvault secrets in a hosted agent and then invoke azure function, but that also does not work.
Is there a specific way to do this?
I see that in Azure release pipelines, we can read secrets either by creating a key vault based variable group in library or by using the task "Azure Key vault" in pipeline. Both of them do the same thing i.e. reading the secret value from the key vault, with a difference that we can link variable group with multiple pipelines, and the "Azure Key vault" task would remain confined to one pipeline.
I want to understand what is the best practice while reading secrets from Azure key vault in release pipelines. Which of the two approaches is recommended here and why?
Which of the two approaches is recommended here and why?
Reusability is the biggest difference between them, and it is also the basis for you to decide which way to choose.
If you confirm that your job is a one-time job, then you can choose Azure key vault task. In this case, you do not need to configure the variable group in library and link the library to the release pipeline.
But if you need to reuse it or plan to reuse it in the future, then choose variable group in library, so that you do not need to add the Azure key vault task in each pipeline.
But would you recommend going with pipeline variables when we already
have these secrets in Azure key vault. Will that not duplicate these
secrets in Azure Key Vault and pipeline variables in that case.
I do not recommend that you use those variables that have been set in Azure key vault in pipeline variables. Because the variable in the pipeline will overwrite the value of the variable you set in Azure key vault.