Friday, February 21, 2025
Latest:

DevOps | Scripts | Automation

Azure DevOps

How to use secret value in Azure Pipeline?

Chirag Nagrekar

In Azure Pipeline, sometimes you need to use sensitive values that cannot be displayed as plain text. In Azure Pipeline there is a provision to use secrets or passwords. There are two ways to achieve this.

Methods to use secret values

  • Azure pipeline secret variable
  • Azure KeyVault

Let’s see both of them.

a. Using Azure pipeline Secret Va/riable

We need to store the variables in a library group to use this method. For example, we have a library called WebApp_Build.

Add secret value

Here, AppPassword is a sensitive variable, and to protect it click on the lock button and its value will be secured and save it.

Lock the variable

After the variable group is saved, the variable name won’t be displayed even if you unlock it. To use the secret variable in a pipeline, add the variable group name and call the secret variable name.

Let’s write a code to display its value in the console.

trigger:
- None

variables:
  - group: WebApp_Build

pool:
  vmImage: ubuntu-latest

steps:
  - task: PowerShell@2
    inputs:
      targetType: 'inline'
      script: |
        Write-Host "Displaying secret variable"
        "WebApp-Password: $(AppPassword)"
Display secret variable output

As you see the value is not being displayed. So your variable group is secured.

Now let’s see another method (Azure KeyVault).

b. Using Azure KeyVault

Using a secret from Azure Key vault is super simple as adding the variable to the library group. Just there are a few prerequisites before we integrate the key vault into the ADO pipeline.

  • The first and obvious value should be stored in the Key-Vault as secrets.
  • Azure subscription of Keyvault should be added to the Service connection manager.

Once we are done with the above prerequisite we need to create a new variable group for KV to consume it. Please note: If you will use the existing variable group and link the KV then existing values will vanish.

To add KV in Library, Goto Library -> + Variable Group.

Insert Keyvault value

In the variable group,

  • Variable group name: Name of the variable group.
  • Enable “Link secrets from Azure key vault as variables
  • Select Azure subscription added in Service connection manager from the dropdown.
  • Select Keyvault from that subscription will appear in the dropdown.
  • Click on +Add button to select the secret variable name from key vault.
Select secret

Here we have already selected SendGrid and save the variable group. We need to use the same secret name as a variable name in Azure Pipeline.

Now let’s use this variable in Azure Pipeline. Below is the pipeline we created to get the KV value.

trigger: none
variables:
  - group: SendGrind_KV
pool:
  vmImage: windows-latest

jobs:
  - job: Test_Jobs
    steps:
    - checkout: none
    
    - task: PowerShell@2
      displayName: Get Keyvault secret
      inputs:
        targetType: 'inline'
        script: |
         
          Write-Host "Keyvault Secret: $(SendGrid)"
KV secret pipeline output

In the output, there isn’t a secret displayed. It is a hidden value.

Conclusion:

The above two method shows how we can protect sensitive values in the Azure pipeline from exposure to users.

Loading