Summary
The article discusses the integration of Azure Key Vault secrets into Azure Pipelines using a Self-hosted Local Agent for enhanced security and efficiency in CI/CD processes. It emphasizes the importance of protecting sensitive information during development and introduces Azure Key Vault as a solution. The article guides users through configuring permissions, authentications, and service connections to seamlessly access secrets in pipelines. The use of Self-hosted Local Agents ensures control over the environment, contributing to a more secure and streamlined CI/CD workflow. Overall, the article provides a comprehensive step-by-step guide for implementing this integration to bolster the security of the development lifecycle.
First of all, you need to create & manage Azure DevOps organization and project. You can create it from this article Azure DevOps: Create Organization, Project, Commit .NET Solution
Now you have to create & manage Azure Key Vault for managing the roles and secrets. You can do this from this article Azure Key Vault Creation, RBAC Setup, User Addition, Secret Management
After creating the Key vault you need to manage the Access Policy.
![Access Policies]()
Note. Key vault secret should have configured Access Policy because it does not allow Role Based Access Control (RBAC) as per Microsoft Documentation Key Vault secrets in Azure Pipelines.
![Manage pipilines with Azure CLI]()
![Permission model]()
![Go to access policy]()
![Access Policies]()
Allow permissions on the Key Vault
![Create access policy]()
Select user
![Select user]()
![Review+Create]()
Now user has been added successfully
![User added]()
I have placed a secret in the Key vault secrets
![Key vault secrets]()
Now you need to go to Azure DevOps.
![Azure DevOps]()
Select your organization and project
![Organization and project]()
Select repository
![Select repository]()
Select Library
![Select Library]()
Create a variable group
![Create a variable group]()
Fill in the required values
![]()
Select the subscription
![Select the subscription]()
Authorize your self
![Authorize your self]()
Select advance option
![Select advance option]()
![]()
![]()
You can allow all pipelines to use this connection
![Allow all pipelines to use this connection]()
Refresh for Key vault
![Refresh for Key vault]()
![]()
if you get this error
![Error]()
Go to the Azure Key vault
![Azure Key vault]()
Select the user and set secret permission as follows
![Set secret permission]()
![Review changes]()
![Access Policies]()
Now go to Azure DevOps and Authorize again.
![Azure DevOps]()
Now you will be able to see the secret in your Azure Key Vault Secret.
![Azure Key Vault Secret]()
Secret has been added here
![Azure Key Vault Secret.]()
Save it
![Save]()
Now go to the pipeline
![Pipelines]()
Create new pipeline.
![Create new pipeline]()
Select Git YAML
![Select Git YAML]()
Select your project
![Select your project]()
Default YAML will be shown here
![Default YAML]()
![Starter Pipeline]()
![Review pipeline]()
You can copy and paste the YAML and change it.
pool:
name: Default
trigger: none
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: 'Azure subscription 1 (1a08c2ff-c356-4cea-a713-6be9241bfeea)'
KeyVaultName: 'keyvault-learn-with-aisf'
SecretsFilter: '*'
RunAsPreJob: false
- task: CmdLine@2
inputs:
script: 'echo $(mysecret) > secret.txt'
- task: CopyFiles@2
inputs:
Contents: secret.txt
targetFolder: '$(Build.ArtifactStagingDirectory)'
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'drop'
publishLocation: 'Container'
Copy your Key vault name
![Copy your Key vault name]()
Copy the secret name
![Copy the secret name]()
Copy the subscription name
![Copy the subscription name]()
Now place it in the YAML
![YAML]()
![Review your pipeline]()
![Set up CI with Azure pipeline]()
Now job is executing.
![Now job is executing.]()
If you get an error
![If you get an error]()
Go to the project setting for configuring Self-Hosted Agent in the pool
![configuring Self-Hosted Agent in the pool]()
Select Agent Pools
![Select Agent Pools]()
Select Default
![Select Default]()
![Jobs]()
Click to download the agent in your local environment.
![Get the agent]()
Extract the folder
![Extract the folder]()
Double-click on config.cmd file
![config.cmd file]()
Copy the URL as highlighted.
![Project settings]()
Paste in the CMD and follow the steps.
![Azure pipeline CMD]()
![cmd.exe]()
Go to the Azure DevOps portal and click on it to create a Personal Access Token.
![Azure DevOps portal]()
![Personal access token]()
![New token]()
Copy the Personal Access Token here else you will not be able to see it again.
![Success]()
Paste the copied Personal Access Token into CMD
![Personal Access Token into CMD]()
![Register agent]()
![Register agent]()
![Work folder]()
![configure autologon]()
![Run agent for startup]()
Now double click on run.cmd
![run.cmd]()
![Listening for jobs]()
Now go to Azure DevOps Portal click on the Agent Pools and click on Default Agent then you can see that it is running and Online
![Default Agent]()
Now go to pipeline and click on Edit
![go to pipeline and click on Edit]()
Now edit the YAML file and change with the highlighted values.
![Highlighted values]()
![AzureDevOps Project]()
![Azure DevOps project]()
If you see the highlighted line then view and permit
![View and permit]()
![Permission]()
![Personal access]()
![Azure Key vault]()
Now pipeline has been executed successfully
![Executed successfully]()
Now you can see the pipeline execution details.
![Azure DevOps project]()
Now go to the executed job and click on it
![Executed job]()
![Artifacts]()
Save the secret.txt.
![secret.txt]()
![secret.txt]()
Now you can see the secret value that was stored in Azure Key Vault
![secret value]()
Conclusion
The article serves as a valuable resource for developers and DevOps teams seeking to fortify the security of their CI/CD pipelines. By seamlessly integrating Azure Key Vault secrets into Azure Pipelines through the use of Self-hosted Local Agents, the guide addresses the critical need for safeguarding sensitive information throughout the software development lifecycle. The step-by-step instructions, focusing on configuring permissions and establishing secure connections, empower users to implement a robust and efficient CI/CD workflow.
With the combined benefits of centralized secret management and enhanced control over the execution environment, the approach outlined in the article not only bolsters security measures but also contributes to a more streamlined and resilient development process. As organizations continue to prioritize security in their software delivery practices, the insights provided in this article offer a practical and effective solution for elevating the overall security posture of CI/CD pipelines in Azure DevOps.