0

In our Azure environment, we are using a number of secrets and by using AKS csi driver plugin, we could eliminate the usage secret values in Variable groups of Azurepipleines as aks could directly connect to the key vault using csi driver.

But, still creation of secrets to the key vault is a manual task and we are trying to automate the secret creation using azuredevops pipeline, where we don't want to expose the secret values either in a file or nor in variable group locked values(because we eliminated that already by using csi driver capability)/

is there any Azuredevops task or extension or any other best approach to create the secrets in key vault without exposing the values ?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
vyshakh
  • 143
  • 3
  • 11
  • 2
    The original plaintext secret has to come from *somewhere*. You've basically listed every option for storing secrets in Azure DevOps. Have you considered *generating* your secrets instead of typing them in? – Daniel Mann Jun 16 '23 at 22:26
  • You could use this https://www.sharepointdiary.com/2020/04/powershell-generate-random-password.html to generate a password and this https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-powershell#adding-a-secret-to-key-vault to push that value into keyvault. These examples are in Powershell, which you can run from a DevOps pipeline – Nick.Mc Jun 19 '23 at 11:15

2 Answers2

1

There is no best way for password generation in Azure DevOps.

The same rules apply here for generating passwords in general.

Take a look here:

password=$(cat /dev/urandom | tr -dc 'A-Za-z0-9_!@#$%^&*()\-+=' | head -c24)

Then just save it in the Key Vault.

What you can do is also add this line to the script:

echo "##vso[task.setvariable variable=somepassword;issecret=true]$password"

This line will cause displaying $password as *** in the output.

steps:
- script: |
    password=$(cat /dev/urandom | tr -dc 'A-Za-z0-9_!@#$%^&*()\-+=' | head -c24)
    echo "##vso[task.setvariable variable=somepassword;issecret=true]$password"
  displayName: 'Run a multi-line script'
- script : |
    echo '$(somepassword)'
  displayName: pretend to be azure cli

enter image description here

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • I am not looking for a way to generate a new password, but looking for a automated way to create secrets in the keyvault which is already existing , without exposing from pipeline. it would be like self service approach for developers to create secret n keyvault – vyshakh Jun 20 '23 at 13:15
  • All what you need in addition to what I wrote is use azure cli (for instance to create secret) [az keyvault secret set](https://learn.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-set) This echo above protect you from exposing secret in the pipeline logs. – Krzysztof Madej Jun 20 '23 at 14:45
  • As per my comment above, and as per @KrzysztofMadej comment, use an API to do it in DevOps. Either powershell or `az cli`. – Nick.Mc Jun 21 '23 at 00:20
  • The above 2 solutions will not meet my requirement. I tried using an azure cli command, by passing the keyvalue pair as parameter input. But the initialization job of the pipeline itself showing the expanded value of the parameter. So here the question is not about how to create a secret in keyvault automatically, but how the input value of the secret can be hidden from exposing anywhere in the pipeline. in another short words, a way to input the secret value in the azure pipeline to create the secret in the azurekeyvault – vyshakh Jun 21 '23 at 18:28
  • The question is aked here as well, but no proper solutions- https://stackoverflow.com/questions/74333855/masking-runtime-parameters-in-azure-devops-pipeline-logs – vyshakh Jun 21 '23 at 18:40
  • 1
    I gave reply for that. If you run first in command echo which creates azure DevOps secret than in log instead of you secret you will see `***`. But this have to be done in a previous step. I do that in my pipelines and it workes. – Krzysztof Madej Jun 21 '23 at 20:30
  • @KrzysztofMadej I guess, my requirement is still not clear for you. I got your point of exposing the variable as secret in azuredevops pipeline. But my question is how a developer can input this secret value without showing its value anywhere. When I tried with runtime parameter in the pipeline, this is captured and printed in the job log screen as below. – vyshakh Jun 22 '23 at 06:52
  • Pool: myspoke Agent: myagent Started: Yesterday at 9:23 PM Duration: 12s Job preparation parameters Parent pipeline used these runtime parameters envList : "- development" secretPairs : "- mysecretkey: mysecretvalue keyvaultname : "mykv" – vyshakh Jun 22 '23 at 06:52
  • This is not possible to provide a secret runtime parameter: check out my reply [here](https://stackoverflow.com/a/65686315/2347999) and you can upvote feature request [here](https://developercommunity.visualstudio.com/t/secret-type-for-runtime-paramaters/1280894) How many do you want to provide secrets? Is this one per run? or more? – Krzysztof Madej Jun 22 '23 at 12:40
  • If your `azure cli` is showing unwanted output, try `--output none` to supress it https://blog.jongallant.com/2018/02/azure-cli-suppress-output/ – Nick.Mc Jun 26 '23 at 07:04
0

Here is a way to populate Azure Key Vault secrets via ADO Variable Groups stored as secrets.

The gist is:

  • Setup ADO Variable Group with corresponding Secrets

  • PowerShell to convert Variable to Secure String and write via CLI to an Azure Key Vault

    $secretvalue = ConvertTo-SecureString $env:Mapped_Secret -AsPlainText -Force $secret = Set-AzKeyVaultSecret -VaultName ${{ parameters.keyVaultName }} -Name ${{ parameters.secretName}} -SecretValue $secretValue

There is also is an example of a templated YAML task for this.

DreadedFrost
  • 2,602
  • 1
  • 11
  • 29