How To Use Azure Key Vault secrets in Azure Pipelines


What is Azure Key Vault? Is a cloud service for securely, storing and accessing secrets. A secret is anything you want to strictly control access to, such as .B. API keys, passwords, certificates, or cryptographic keys. Vaults support the storage of software and HSM-based keys, secrets, and certificates. Managed HSM pools that support only HSM-based keys. Azure Key Vault allows users to securely store, manage, and access sensitive information. kindly refer to some of my contents: How to configure and install ansible on Azure VM, how to Add or Remove Network Interface from a VM in Azure, how to use Azure key vault secrets in Azure pipelines and understanding the overview concept of Azure cloud shell.

In this article, you will learn how to:
  • Create an Azure Key Vault using Azure CLI
  • Add a secret and configure access to Azure key vault
  • Use secrets in your pipeline.
  • Create an Azure Key Vault

    Azure key vaults can be created and managed through the Azure portal or Azure CLI. We will use Azure CLI in this tutorial to create our Azure Key vault. Sign in to the Azure Portal, and then select the Cloud Shell button in the upper-right corner.


    Just in case you have more than one Azure subscription associated with your account, use the following command az account list to specify a default subscription.


    Then Copy and run this command az account set –subscription <your_subcription_name_or_ID>


    Then run the following command to set your default Azure region

    • Use az account list-locations to generate a list of available regions.
    • Run this command “az config set defaults.location=<your_region>
    • This can be set to example “az config set defaults.location=westus2

    To create a new resource group.

    What is a resource group: A resource group is a container that holds related resources for Azure solutions. Run this command to create a resource group from the shell.

    az group create --name <your-resource-group>

    Run the following command to create a new key vault from the shell.

    az keyvault secret set --name <your-key-vault> --resource-group <your-resource-group>

    Run the following command to create a new secret in your key vault. Secrets are stored as a key-value pair. from the below command, Password is the key and mysecretpassword is the value.

    az keyvault secret set --name "Password" --value "mysecretpassword" --vault-name <your-key-vault-name>

    Create a project

    Sign in to Azure Pipelines. Your browser will then navigate to and displays your Azure DevOps dashboard.


    Click on continue as shown below


    Enter the Caption (Character) as shown below and click on continue


    If you don’t have any projects in your organization yet, select Create a project to get started to create a new project. Otherwise, select the New project button in the upper-right corner of the dashboard.


    Create a repo

    We will use YAML to create our pipeline but first, we need to create a new repo. Sign in to your Azure DevOps organization and navigate to your project.
    – Go to Repos, and then select Initialize to initialize a new repo with a README.


    Click on setup build as shown below


    Select Starter pipeline.


    The default pipeline will include a few scripts that run echo commands. Those are not needed so we can delete them. Your new YAML file will now look like this:

    # Starter pipeline
    # Start with a minimal pipeline that you can customize to build and deploy your code.
    # Add steps that build, run tests, deploy, and more:
    - main
      vmImage: ubuntu-latest
    - script: echo Hello, world!  
    displayName: 'Run a one-line script'
    - script: |    
    echo Add other tasks to build, test, and deploy your project.    
    echo See  
    displayName: 'Run a multi-line script'

    Select Show assistant to expand the assistant panel.


    This panel provides a convenient and searchable list of pipeline tasks.


    Search for vault and select the Azure Key Vault task.


    Select and authorize your Azure subscription then select the Azure key vault task and select Add to add it to your pipeline. With the help of this task, it will allow the pipeline to connect to your Azure Key Vault and retrieve secrets to use as pipeline variables.

    - main
    vmImage: ubuntu-latest
  • task: AzureKeyVault@2 inputs: azureSubscription: '5f6c1c51-4db4-4e35-9b0a-fe0b66a617c5' KeyVaultName: 'MyKeyVault' SecretsFilter: '*' RunAsPreJob: falsetask:
  • CmdLine@2 inputs: script: 'echo $(MySecret) > secret.txt'task:
  • CopyFiles@2 inputs: Contents: secret.txt targetFolder: '$(Build.ArtifactStagingDirectory)'
  • task: PublishBuildArtifacts@1 inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)' ArtifactName: 'drop' publishLocation: 'Container'
  • Do not save or run your pipeline just yet. We must first give our pipeline the right permissions to access Azure Key Vault. Keep your browser tab open, as you will resume the remaining steps once we set up the key vault permissions.

    Set up Azure Key Vault access policies

    In order to access our Azure Key Vault, we must first set up a service principal to give access to Azure Pipelines. Go to Azure portal. Use the search bar to search for the key vault you created earlier.

    • Under Settings Select Access policies.
    • Select Add Access Policy to add a new policy.
    • For Secret permissions, select Get and List.
    • Select the option to select a service principal and search for the one you created in the beginning of this section.
    • Select Add to create the access policy, then Save.
    • Click on Save and Run

    Run and review the pipeline

    Return to the previous tab where we left off.


    As you can see below, the profile is being created


    Select Save then Save again to commit your changes and trigger the pipeline. Please understand you may be asked to allow the pipeline access to Azure resources if prompted select Allow. You will only have to approve your pipeline once.

    • Select the CmdLine job to view the logs.

    Return to pipeline summary and select the published artifact.


    Under Job select the secret.txt file to open it.


    The text file should contain our secret: mysecretpassword from earlier.

    I hope you found this article resolving task helpful as you have learnt how to use Azure Key Vault secrets in Azure Pipelines, create an Azure Key Vault, create a project, create a repo, create a new pipeline, set up Azure Key Vault access policies and run and review the pipeline.

    Notify of

    Inline Feedbacks
    View all comments
    Would love your thoughts, please comment.x