avatartarun bhatt

Summary

This article outlines the process of managing Azure Key Vault secrets and certificates using Azure DevOps pipelines, emphasizing the handling of application-specific entities through deployment pipelines rather than Terraform.

Abstract

The article follows up on a previous discussion about Infrastructure as Code (IaC) and best practices, using Azure Key Vault as a case study. It details the steps for setting up an Azure Service Connection, creating a variable group to store sensitive information securely, and importing certificates into Azure Key Vault through Azure DevOps. The author advocates for managing secrets and certificates within the application deployment pipeline, using Azure DevOps over Terraform for this purpose due to the dynamic and application-specific nature of secrets. The process includes uploading a certificate as a secure file, adding a password to the variables, and using Azure CLI tasks within a YAML pipeline to import the certificate and add secrets to the Key Vault, with a final example of the YAML pipeline configuration.

Opinions

  • The author prefers using Azure DevOps for managing Key Vault secrets and certificates over Terraform, suggesting that application deployment pipelines are better suited for handling such application-specific entities.
  • There is an acknowledgment that exceptions to this approach exist, which will be covered in a separate article.
  • The author emphasizes the importance of using the correct Service Principal Name (SPN) with the necessary permissions to avoid pipeline execution failures.
  • Secure handling of sensitive information, such as passwords, is highlighted by the use of variable groups and secure files in Azure DevOps.
  • The author suggests that the practice of avoiding hard-coded values in the pipeline by using variable groups contributes to better security and maintainability.

Azure Key Vault — Creation and Management using Terraform and Azure DevOps — 2 of 2

In my previous article, I discussed IaC and some of the best practices around it. I used the Azure Key vault as an example to demonstrate my point. We saw various features of Terraform to create a key vault and provide RBAC (role-based access control) access to azure SPN (service principal name).

In this article, we will discuss managing key vault secrets and certificates. I prefer using Azure DevOps instead of Terraform to manage secrets and certificates. Secrets and certificates are application-specific entities, and the application deployment pipeline should handle them instead.

There are some exceptions to this approach though, and I will cover those in a different article.

Create Service Connection

The first step would be to configure the azure connection so that the Azure DevOps pipeline can perform commands on Azure resources.

  1. Navigate to your Azure DevOps project and click on the settings icon on the bottom left corner of the page. Click on “Pipelines -> Service connections.”
  2. Click on the “New Service Connection” button in the top right-hand corner and choose “Azure Resource Manager.”
  3. In the previous article, we provided four different roles to some SPNs to perform actions on the key vault. We need to use one of those SPNs to configure the service connection. If we use another SPN who does not have access to perform actions on the key vault, the pipeline execution will fail.
  4. Let’s name this connection: ‘azure-service-connection’.

Create variable group

A variable group is a container to store key-value pairs. It helps us avoid hard coding values in our pipeline.

  • Click on Pipelines -> Library on the left-hand menu of the DevOps project.
  • Click on ‘+ Variable Group’ to create a new group for our pipeline.
  • Give a name to the variable group (azure_key_vault_variable_group)

I will be creating two variables within this variable group:

  1. pfxpassword — Password to import a PFX into the Azure Key Vault
  2. test-secret — Another secret with some dummy value.

Make sure to click on the lock icon beside the value. It will replace the value with dots so no one can read it.

Import certificates into the Azure Key Vault

Upload the certificate as a secure file.

To work on this article, I have created a test pfx using New-SelfSignedCertificate cmdlet. Once created, we will upload the PFX file as a secret file in our DevOps project.

  • Click on Pipelines -> Library on the left-hand menu of the Azure DevOps project.
  • Click on the secure file tab and upload the pfx file.

Add password in variables

Since it’s a PFX, I will need the password (pfxpassword) to import the certificate into the Key vault. Earlier, I have stored this value in a variable group (azure_key_vault_variable_group).

We will then add this variable group to our pipeline as shown below:

variables:
- group: “azure_key_vault_variable_group”

task: DownloadSecureFile@1

Next, we will use the DownloadSecureFile task in our YAML file to download the pfx file. The task will download the pfx file on the DevOps agents.

- task: DownloadSecureFile@1
  name: pfx_certificate
  inputs:
    secureFile: ‘pfx-certifcate.pfx’

We will use the name (pfx_certificate) in future tasks to refer to this file.

task: AzureCLI@2

The last step will be to use AzureCli to import the pfx file into the Azure Key Vault.

  • azureSubscription — The field will hold the name of the service connection created earlier in this article.
  • To reference the pfx file, we will refer to the name of the download task i.e pfx_certificate.secureFilePath
  • Read the password for importing the PFX file from the variable group azure_key_vault_variable_group by using the syntax $(pfxpassword)
- task: AzureCLI@2
  inputs:
    azureSubscription: ‘azure-service-connection’
    scriptType: ‘bash’
    scriptLocation: ‘inlineScript’
    inlineScript: |
      az keyvault certificate import  file $(pfx_certificate.secureFilePath)  name pfx_certificate  vault-name “azure-keyvault”  password $(pfxpassword)

Add Secret into the Azure Key Vault

I will use another AzureCli task to save a secret within the key vault.

- task: AzureCLI@2
  inputs:
    azureSubscription: ‘azure-service-conne’
    scriptType: ‘bash’
    scriptLocation: ‘inlineScript’
    inlineScript: |
      az keyvault secret set  vault-name “azure-keyvault”  name “test-secret”  value $(test-secret)  expires “2023–12–01T07:28:38Z”

Final Version

Azure Devops
Azure Devops Pipeline
Azure Key Vault
Azure
DevOps
Recommended from ReadMedium
avatarGijs Reijn
Build Self-Service Pipeline to Deploy Self-Hosted Environment Agents on Azure Workloads — The…

The foundational groundwork is set, the floor is mopped, and it’s time to start building the pre-pipeline that leverages the scripts in…

8 min read
avatarFeruz Urazaliev
Optimizing Data Pipelines with Azure Data Factory: Tips and Tricks

Unlock the secrets to optimizing your Azure Data Factory pipelines. Discover tips and tricks for boosting performance and efficiency now!

4 min read
avataribirogba abimbola
Azure Administrator Project 1: Automating Employee Onboarding with Azure Logic Apps

Overview

4 min read
avatarAnji Keesari
Create Azure Key Vault using Terraform

Introduction

13 min read
avatarDevOpsWithYoge
Streamlining Azure Integration Services via Microsoft Entra ID using Terraform

Empowering Your Azure Ecosystem with Advanced methods using Microsoft Entra/Azure AD — Discussed Real Time use cases

8 min read
avatarAntoine Fongang
Azure DevOps Project 47–1: Create Azure Pipeline to Build and Push Docker Image to Azure Container…

This project involved setting up a Github repository, creating an Azure Container Registry, establishing a DevOps organization and project…

5 min read