Read key vault secrets in Azure DevOps pipeline

Question

I am using Azure DevOps yaml pipelines. My storage account and other application values are saved as secrets in a key vault. I have made a variable group by linking it to Azure key vault (a service connection to connect variable group to key vault). This way I have all the secrets saved in the key vault in my variable group.

I need to read these values in my pipeline and work with them. I can basically read them but their value is shown as *** and cannot really be evaluated. I tried reading them from the variable group in my pipeline like below:

pool: 
  vmImage: ubuntu-20.04

trigger: none


variables: 
- group: check_kv_vargroup

stages:

  - stage: Read_KV_Secrets_And_Evaluate_Values
    displayName: 'Deploy Stage in Dev env'

    jobs:

    - job: download_wheel_from_build_pipeline
      steps:

        - bash: |
            echo "WorkspaceName is:" 
            echo "$(WorkspaceName)"
            echo "sample-secret is:" 
            echo "$(sample-secret)"
          displayName: GetKVValues

        - task: PythonScript@0
          displayName: "Evaluate KV Secrets In Pipeline"
          name: "get_secret_values"
          inputs: 
            scriptSource: 'filePath'
            scriptPath: evaluate-kv-secrets.py
          env:
            SampleSecret: '$(sample-secret)'

The output of the pipeline is as below (both sample-secret and WorkspaceName are secrets saved in key vault and added to my DevOps variable group):

The variables are read, but their value is not clear and therefore, I cannot work with them. To make sure, the value can be evaluated I have added a task to run a python script to see if I can read this value in my python code in the pipeline. This is evaluate-kv-secrets.py which is the second task in the pipelione above. The pipeline passes the variables to the python script which is as below:

import os


if os.environ["sample-secret"] == 123:
    print("secret from key vault is read properly.")
else:
    print("Key vault value cannot be evaluated in the pipeline.")

Below you can see the output of python script in the pipeline:

It has not been able to read the values, that's why "else" part has been executed. But the value is passed to python script, otherwise, it would have raised an null value error.

I found this link to read values directly in the pipeline from key vault, and I made below pipeline:

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'MyServiceConnectionName'    ## YOUR_SERVICE_CONNECTION_NAME
    KeyVaultName: 'rg-poc400-kv'                    ## YOUR_KEY_VAULT_NAME
    SecretsFilter: 'sample-secret'                  ## YOUR_SECRET_NAME. Default value: *
    RunAsPreJob: true                                    

- bash: |
    echo "sample-secret is:" 
    echo "$(sample-secret)"
  displayName: GetKVValues

- task: PythonScript@0
  displayName: "Evaluate KV Secrets In Pipeline"
  name: "get_secret_values"
  inputs: 
    scriptSource: 'filePath'
    scriptPath: evaluate-kv-secrets.py
  env:
    SampleSecret: '$(sample-secret)'

AzureKeyVault@1 task doesn't show the value in plain text as shown below:

Both ways are reading values, but they are being shown not in plain text and consequently the python script cannot evaluate the passed values.

So the question is how can we read secret values in key vault in pipeline in a way that we can evaluate their values to work with or have them shown in plain text? I understand that they are secrets but I expect when I fetch them at least I would be able to evaluate their values like in if statements. And when I am using the service connection to connect, I am already someone authorized to read the values. I also know if I make a variable group and leave those values as plain text, I can have access to them, but that is not my question. I want to have all these values saved in key vault. That would be too much effort to have them once saved in key vault, once in a variable group and keep them synced. Thank you.

Answer 1

@e-erfan - It's normal for Azure DevOps to print masked value of secret. It's good for security best practice as you don't want credentials to hang around in logs.

There should be no issue using the secret you have retrieved from Azure Key Vault. Just use the value in the next step.

As you will see the secret passed to the docker login command succeeds because you have a valid password!

 - task: AzureKeyVault@1
    name: KeyVaultSecrets
    displayName: Get Secret from Key Vault
    inputs:
      azureSubscription: 'Build Pipeline Service Connection'
      KeyVaultName: 'aspnet4you-keyvault'
      SecretsFilter: 'aspnet4you-acr'



- task: Bash@3
    name: EchoSamlpleSecret
    displayName: EchoSamlpleSecret
    inputs:
        targetType: 'inline'
        script: |
          # Write your commands here
          echo 'Hello world'
          echo "sample-secret is:" $(aspnet4you-acr)

 - script: docker login -u $(dockerId) -p $(aspnet4you-acr) $(dockerId).azurecr.io
    displayName: login to Azure Container Registry (ACR)