Skip to content
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@stephenmichaelf @davidstaheli
74 lines (45 sloc) 6.78 KB

Azure Key Vault Task


This task is used for downloading secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) from a given Azure key vault instance. This can be used to fetch the latest values of all/subset of secrets from the vault and set them as task variables which can be consumed in the following tasks. Task is node based and works with Xplat agents (Windows, Linux or OSX).

Contact Information

Please report a problem at Developer Community Forum if you are facing problems in making this task work. You can also share feedback about the task like, what more functionality should be added to the task, what other tasks you would like to have, at the same place.

Pre-requisites for the task

The following pre-requisites need to be setup for the task to work properly.

Azure Subscription

To deploy to Azure, an Azure subscription has to be linked to Team Foundation Server or to Azure Pipelines using the Services tab in the Account Administration section. Add the Azure subscription to use in the Build or Release Management definition by opening the Account Administration screen (gear icon on the top-right of the screen) and then click on the Services Tab. Create a service endpoint of 'Azure Resource Manager' type. For more troubleshooting guidance around endpoint creation, refer this.

For Azure MSDN accounts, one can either use a Service Principal or a work account. It's easy to create a work account as shown below:

  1. Create an user in the Azure Active Directory from the portal (this is the old Azure portal). After adding the account, the following two things need to be done to use the organization in Azure Pipelines:
  • Add the Active Directory account to the co-administrators in the subscription. Go to the Settings and then click on administrators and add the account as a co-admin like,
  • Login to the portal with this Active Directory account wiz., and change the password. Initially a temporary password is created and that needs to be changed at the first login.
  1. Add that user and password in the service connections in Azure Pipelines and deployments will work with that account.

Pre-existing Azure Key Vault with secrets

This task supports fetching latest values of the secrets which are already added to a pre-existing key vault instance. If there is no pre-existing Key vault, you can create a key vault in the the Azure portal or use Azure PowerShell or use Azure CLI.

To add secrets to the keyvault, use PowerShell cmdlet Set-AzureKeyVaultSecret: If the secret does not exist, this cmdlet creates it. If the secret already exists, this cmdlet creates a new version of that secret.

Or use Azure CLI : To add a secret, which is a password named SQLPassword and that has the value of Pa$$w0rd to Azure Key Vault, type the following:

az keyvault secret set --vault-name 'ContosoKeyVault' --name 'SQLPassword' --value 'Pa$$w0rd'

Parameters of the task:

The parameters of the task are described below. The parameters listed with a * are required parameters for the task:

  • Azure Subscription*: Select the service endpoint for the Azure Subscription where the Azure Key vault instance is created. To configure new service endpoint, select the Azure subscription from the list and click 'Authorize'. If your subscription is not listed or if you want to use an existing Service Principal, you can setup an Azure service connection using 'Manage' link.

Ensure the Azure endpoint has at least Get and List permissions for Secrets on the vault. You can set these permissions in the Azure portal: Open the Settings blade for the vault, choose Access policies, then Add new. In the Add access policy blade, choose Select principal and select the service principal for your client account. In the Add access policy blade, choose Secret permissions and ensure that Get and List are checked (ticked). Choose OK to save the changes.

  • Key Vault*: Select the name of the Key vault from which the secrets need to be downloaded.

  • Secrets filter*: Provide a comma separated list of secret names or use the default value * to download all secrets from the selected key vault. This can be used to fetch the latest values of all/subset of secrets from the vault and set them as task variables which can be consumed in the following tasks.

For example, if there is a secret name: connectionString, a task variable $(connectionString) is created with the latest fetched value of the respective secret from Azure key vault. And this secret variable would be available to be consumed in subsequent tasks.

If it is a certificate (example: a PFX file) that is fetched from the vault, then the task variable would contain the content of the PFX in string format. To retrieve the PFX file from the task variable, the following sample PowerShell code can be used (after passing the certificate variable as a parameter to the script):

    # Task parameters: $(PfxSecret)
    param ($pfxSecretStringValue)
    $kvSecretBytes = [System.Convert]::FromBase64String($pfxSecretStringValue)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
    $certCollection.Import($kvSecretBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

If the certificate file needs to be stored on the hard disk then it is good practice to encrypt it with a password:

    # Get the file created
    $password = <password>
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
    $pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx"
    [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

More help can be found here.

You can’t perform that action at this time.