Introduction
Managing sensitive files securely is a crucial aspect of maintaining the integrity and security of your DevOps pipeline. Azure DevOps provides a feature called Secure Files in its Library, allowing you to store sensitive files securely without committing them to your repository. These files, which can include configuration files, certificates, and other sensitive data, are encrypted and can only be accessed through specific tasks in your pipeline. This blog will guide you through the process of utilizing Secure Files in Azure DevOps and demonstrate how to consume them in your build or release pipeline.
Use cases
- Configuration files: Securely store and manage configuration files that contain sensitive information.
- SSL/TLS certificates: Manage SSL/TLS certificates required for secure communications.
- Database configuration files: Store files containing database configurations securely.
- License files: Manage license files required for various software applications.
- Private keys for encryption: Securely store private keys used for encryption processes that need to be handled in the pipeline
Note. In Azure DevOps, we have another option to store Keys (or) Connection String by referencing to Azure Key Vault.
Steps to add and use secure files in Azure DevOps
Step 1. Add a secure file
- Go to Azure DevOps Project
- Navigate to secure files: Go to Pipelines > Library > Secure files
![Pipelines]()
- Upload secure file: Select the Secure Files tab and click on Secure file to upload a new secure file. Browse to upload or drag and drop your file which needs to be secured.
![Repos]()
- Set permissions: After uploading, add permissions to your file as User/Reader/Adminstrator for the Group/User. Make Sure Build Service hs Reader Role.
![CICD build service]()
- You can also manage security role restrictions for all files from the Security tab at Pipelines > Library. To set permissions for an individual file, go to the file's edit view and select Pipeline permissions or Security.
Step 2. Consume a secure file in a Pipeline
- Download secure file task: Use the Download Secure File task to consume secure files in your pipeline. Below is an example of a YAML pipeline that downloads the file.
![Download secure file]()
- Find the Yaml below.
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: DownloadSecureFile@1
inputs:
secureFile: 'settings.json'
- task: PowerShell@2
inputs:
targetType: 'inline'
script: |
Get-Content $(DownloadSecureFile.secureFilePath)
Note. We can use $(DownloadSecureFile.secureFilePath) to access the Secured File.
- Pipeline execution: When the pipeline runs, the specified secure file will be downloaded securely and used as required in the pipeline steps.
![Pre-job]()
Conclusion
Secure Files in Azure DevOps provides a robust solution for managing sensitive files securely within your pipelines. By leveraging this feature, you can ensure that critical files such as configuration files, certificates, and database configurations are handled securely and are only accessible during pipeline execution. This not only enhances the security of your DevOps processes but also simplifies the management of sensitive files across different environments. Remember, while Secure Files are invaluable for development and testing, it is crucial to implement comprehensive security measures for production environments, including approvals and checks to maintain the highest security standards.