Access Azure Key Vault from Azure build/release pipelines

Question

We have some unit tests/integration tests running on Azure build/release pipelines. There are few tests that retrieve secrets from key vault and these are failing because the code is written for fetching secrets from keyvault using MSI and Azure app authentication features. Since pipelines are not enabled for MSI, the keyvault calls are failing and hence the tests are also failing. What is the alternative that exists for this scenario where pipelines can access keyvault successfuly?

Note: I have already gone through articles suggesting to use variable groups and azure keyvault tasks but not helpful in my scenario .Looking for alternatives.

did you explore the option of using azure functions to act as facade to access values from key vault ? — Aravind, May 28 '20 at 10:43
Hi friend, is there any update for this issue? Please check if my answer helps or not. — LoLance, Jun 01 '20 at 05:20

score 0 · Answer 1 · answered May 29 '20 at 08:39

Note: I have already gone through articles suggesting to use variable groups and azure keyvault tasks but not helpful in my scenario.Looking for alternatives.

You can try two directions:

Configure a self-hosted agent to run your pipeline in local environment. Of course the agent should be configured with your managed identity.
According to step5 from this blog:

AzureServiceTokenProvider will use the developer's security context to get a token to authenticate to Key Vault. This removes the need to create a service principal, and share it with the development team. It also prevents credentials from being checked in to source code. AzureServiceTokenProvider will use Azure CLI or Active Directory Integrated Authentication to authenticate to Azure AD to get a token. That token will be used to fetch the secret from Azure Key Vault.

You can use Azure Cli task to run your tests in command-line. Check this similar issue.

Access Azure Key Vault from Azure build/release pipelines

1 Answers1