Access Key Vault from Azure DevOps Pipeline

When setting up deployment pipelines in Azure DevOps, sometimes you need to get secret information stored in Azure Key Vault. This article describes how to access Key Vault from your Azure DevOps Pipelines. It’s all about keeping sensitive data safe and making your deployment process smooth and reliable. Let’s dive in!

Pre-requisites:
1. Azure DevOps project and a key vault.
2. Permission to access Microsoft Entra ID applications.

What is Azure DevOps project service principal?

To know the service principle (entra application ID) associated with Azure DevOps project

1. navigate to ‘Project Settings’ – > ‘Service connections’.

2. Open any service connection and click on the ‘Manage Service Principal’ link as shown in the image below.

3. This will open the Microsoft Entra ID application associated with the DevOps project in Azure portal.

4. Note the Application (client) ID. This is the application ID to which we would need to grant access to Azure key vault.

Grant access to Azure DevOps application ID on Azure key vault

1. Navigate to the key vault in Azure portal that you want to access in Azure DevOps project pipelines.

2. Click on ‘Access policies’ on the left side navigation list and click ‘Create’ to create a new access policy.

3. Select the required permissions for the pipeline and Click ‘Next’.

4. Search for the application ID (from the previous section) and select the application.

5. Authorise the app to perform the specified permissions on the User’s or Group’s behalf.

6. ‘Review’ the steps and click ”Create’ to grant access to the DevOps project on Azure key vault.

Access the key vault secrets in Azure DevOps YAML pipeline

Once the access is set up, you can add a Azure Key Vault Task in your YAML pipeline to access key vault secrets.

          - task: AzureKeyVault@1
            inputs:
              azureSubscription: 'service-connection-name'
              KeyVaultName: 'key-vault-name'
              SecretsFilter: 'secret1,secret2'
              RunAsPreJob: true

Pro tips:
1. Learn how to access Key Vault secrets in Azure Data Factory.

See more

Kunal Rathi

With over a decade of experience in data engineering and analytics, I've assisted countless clients in gaining valuable insights from their data. As a dedicated supporter of Data, Cloud and DevOps, I'm excited to connect with individuals who share my passion for this field. If my work resonates with you, we can talk and collaborate.
I am always interested in new challenges so if you need consulting help, reach me at kunalrathi55@gmail.com.