0

As the title suggests, the values for clientId and clientSecret that get populated in the AddAzureKeyVault method below only work when I put the clientId and clientSecret in plain text in the VSTS Variables section. It doesn't work if I use a Variable Group that pulls those values from key vault, or if I set the values as secrets in the normal Variables section. It says those values are null if they are not in plain text.

var builder = new ConfigurationBuilder()
            .AddJsonFile("appsettings.json", optional: false, reloadOnChange: false)
            .AddEnvironmentVariables();

        var configuration = builder.Build();

        var azureServiceTokenProvider = new AzureServiceTokenProvider($"RunAs=App;AppId={Environment.GetEnvironmentVariable("clientId")};TenantId={Environment.GetEnvironmentVariable("tenantId")};AppKey={Environment.GetEnvironmentVariable("clientSecret")}");
        KeyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

        builder.AddAzureKeyVault(Environment.GetEnvironmentVariable("keyVaultUri"),
            Environment.GetEnvironmentVariable("clientId"),
            Environment.GetEnvironmentVariable("clientSecret"),
            new DefaultKeyVaultSecretManager());

This is not secure as I do not want the clientId and clientSecret values in plain text. Any help here?

EDIT: I am using the above code in a .NET Core VSTS task (dotnet run). I am not passing any arguments in the task either. Am I supposed to be?

EDIT 2: I may have found my own answer here. But does that mean I need to have my Main method expecting arguments be passed? Like clientId and clientSecret in the Arguments section of the .NET Core VSTS task?

EDIT 3: I tried doing ##[debug]arguments=##vso[task.setvariable variable=clientId]$(clientId) ##vso[task.setvariable variable=clientSecret]$(clientSecret) and -clientId $(clientId) -clientSecret $(clientSecret) in the Arguments section of the .NET Core VSTS task and it still resolves clientId and clientSecret to null...

TyngeOfTheGinge
  • 524
  • 1
  • 4
  • 14
  • Did you apply those scripts in function app or logic app to work with azure devops? You said you pass the keys to this script via variable group and etc. Just confused on your integrate way here. – Mengdi Liang Mar 05 '20 at 07:13
  • Have you tried using the Azure Key Vault task to manually retrieve the keys and set them against a pipeline variable? Check out [this guide](https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/) and the [task definition](https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops), also make sure that Ensure the Azure service connection has at least Get and List permissions on the vault as per the second link. – Matt Stannett Mar 05 '20 at 09:13
  • @MerlinLiang-MSFT - In my AddAzureKeyVault method I am using IConfiguration to get them as environment variables. So I was assuming that the Variables section (secrets or otherwise) would be the environment variables that the piece of code above would use? – TyngeOfTheGinge Mar 05 '20 at 16:51
  • @MattStannett - I have not tried that yet. Although, the Variable Group I am using has the "Link secrets from an Azure Key Vault as variables" turned on. And the Service Connection that it uses has full access to Key Vault. The task that is trying to use clientId and clientSecret is a .Net Core run task in VSTS. I even tried using a Powershell script to manually set the clientId and clientSecret environment variables to point to the secrets from key vault, with no luck. – TyngeOfTheGinge Mar 05 '20 at 16:57
  • @MattStannett I just tried using Azure Key Vault task and that did not work, it still resulted in clientId and clientSecret being null. – TyngeOfTheGinge Mar 05 '20 at 18:20
  • Edits added above. – TyngeOfTheGinge Mar 05 '20 at 20:37

0 Answers0