2

I'm using the AzureKeyVault task to retrieve a secret from the Key Vault. The name of the secret is StorageAccountKey. This name is stored in the variable KeyName. I do it like that

- task: AzureKeyVault@1
  displayName: 'Get key'
  name: GetKey
  inputs:
    azureSubscription: '${{ parameters.azureSubscription }}'
    KeyVaultName: '$(KeyVaultName)'
    SecretsFilter: '$(KeyName)'

Now, in a subsequent task, I would like to access the secret. How would I do that, given that the name of the secret is itself stored in a variable? The following seems not to work

- task: Bash@3
  displayName: Create container
  inputs:
    targetType: 'inline'
    script: |
      az storage container create \
          --name raw \
          --account-name storageaccountname \
          --account-key $($(dataLakeAccountKeyKeyName))
    failOnStderr: true

I'm getting the error

/mnt/azp/azp-linux1_5/_temp/6719378a-b3ee-45d8-aad8-4f6a5e8b581e.sh: line 1: StorageAccountKey: command not found
ERROR: az storage container create: error: argument --account-key: expected one argument

So, it does seem to resolve the inner variable but still fails.

Konstantin
  • 2,451
  • 1
  • 24
  • 26
  • Hi friend, any update for this issue? Please check if **Kontekst**'s answer helps to resolve your issue. As i know, no matter you use Azure Key Valut task or use Variable Group way, you can then use `$(SecretName)` to get the value after them. Let me know if the issue persists :) – LoLance Jan 01 '20 at 10:02

2 Answers2

3

I also struggled to get this done and this has worked for me:

steps:
  - task: AzureKeyVault@1
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      KeyVaultName: ${{ parameters.azureKeyVaultName }}
      SecretsFilter: '*'
      RunAsPreJob: true

  - bash: |
      #I can now use ${GCP_CREDS}
    displayName: GCP auth
    env:
      GCP_CREDS: $(${{ parameters.azureKeyVaultCredentailsKey }})
Jakub Igła
  • 53
  • 5
0

Try using:

--account-key $(StorageAccountKey)

From "Azure Key Vault task" documentation:

Values are retrieved as strings. For example, if there is a secret named connectionString, a task variable connectionString is created with the latest value of the respective secret fetched from Azure key vault. This variable is then available in subsequent tasks."

So if you access secret named in azure key vault "StorageAccountKey" then Azure DevOps creates from this place variable called "StorageAccountKey".

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Kontekst
  • 946
  • 8
  • 17