Retrieve key vault secret into a variable using azure cli task

Question

I am trying to retrieve a password from key vault secret into a variable in an azure CLI task. But it is not populating any value. Please find below the YAML task:

- task: AzureCLI@2
  displayName: Retrieve and store key vault secret
  inputs:
    azureSubscription: 'azureSubscription'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
      $secret=$(az keyvault secret show --name "passwordSecret" --vault-name "passwordKeyVault")

If I use $(secret) anywhere it gives me value as $(secret) only and not the password. Is it the right way to do this? Can someone please guide me through this?

Harshita Singh · Answer 1 · 2021-09-01T04:22:52.390

0

This is because you are not setting the pipeline variable and just setting your script's variable. To Set/Update variable in ADO pipeline, you can add below command:

Write-Host "##vso[task.setvariable variable=testvar;issecret=true]testvalue"

Check out How to read and set DevOps Pipeline variables using Azure PowerShell? and Use output from AzureCLI@2 as variable in Azure DevOps Pipeline for more information.

edited Sep 01 '21 at 04:22

answered Aug 31 '21 at 18:15

Harshita Singh

4,590
1
10
13

Leaving out `isSecret=true` means that the secret will leak in the logs any time it's printed. – Daniel Mann Aug 31 '21 at 19:19

score 0 · Answer 2 · answered Aug 31 '21 at 18:28

You need to map it Azure Pipelines variables and for that purpose you should use logging command

Since you fetched your value from KeyVault I would recommend you to consider it as secret also in Azure Pipelines. So you need to use this syntax:

    Write-Host "##vso[task.setvariable variable=secretSauce;issecret=true]$secret"

Where secretSauce is a name of the Azure Pipeline variable you will create.

It will cause putting *** anywhere in logs where normally you secret would appear.

However, secrets are not mapped automatically to env variables and you need to use env mapping if you need that value accessible via env variables.

I tried this. I am using a deployment task to deploy few resources like azure sql server and sql db via ARM Template. So in this deployment task I am trying to override the parameter used for sqlAdminPassword like : `overrideParameters: > -sqlAdminPassword $(secretSauce)` but this is giving me the value as $(secretSauce) only and not the actual value inside the variable secretSauce. Also, all other parameters are getting overriden correctly. Am I doing anything wrong here ? — Erlich Lleo, Sep 01 '21 at 04:26

score 0 · Accepted Answer · answered Sep 08 '21 at 06:44

The issue got fixed. The keyVault was getting deployed at the same time with the common arm template resulting in giving "no current version available" in the secret. Hence, $secret was not able to fetch any value. I created a separate deployment task for key vault and it worked. Thanks all for your responses.

Retrieve key vault secret into a variable using azure cli task

3 Answers3