Azure Key Vault is a powerful service provided by Microsoft Azure that allows you to securely store and manage sensitive information such as API keys, passwords, and connection strings. Azure Pipelines, on the other hand, is a versatile CD platform offered by Azure. By integrating Azure Key Vault secrets into Azure Release Pipelines, you can enhance the security of your CD processes and ensure that sensitive information is protected.

In this blog post, we will guide you through the process of leveraging Azure Key Vault secrets in Azure Release Pipelines, enabling you to securely retrieve and use them in your CD workflows.

Prerequisites

1. Azure Subscription.
2. Azure DevOps Organization

Setting up Azure Key Vault

Create an Azure Key Vault in the Azure Portal

a. From azure portal in search Box type Key Vault

b. On the Key Vault Section Click on Create.

c. Now, create a Key Vault Resource by filling all required fields.
d. After complete creation process click on Key vault resource which one create recently and it’s look like as below screenshot

Add a secret in the key vault

a. Add Secret in the key vault
b. Click on the Secrets option in the left side menu panel

c. Click on the Generate button at top left to generate new secret and provide necessary information.

Create Azure Service Connection in DevOps

Setting up Service Connection in Azure Pipeline

a. Open the DevOps Organization in which you want to grab secrets.
b. Now open Project Settings > Pipelines > Service Connections.

c. Click on New service connection at top right side of page
d. Select Azure Resource Manager > Next

e. Provide the following parameters and create connections.

• Subscription
• Resource Group
• Connection Name

Linking Service Connection to the key vault (give security Permission)

a. Open the Azure Portal and move towards your Key Vault
b. In the left menu, click on Access Policies

c. click on Create to create Access Policy
d. In Configuration from template select Secret Management
e. Grant Permission for Get & List from Permission section click next button

f. Now select Application for your Azure DevOps Subscription and complete process.
g. Retrieve key vault value in Azure Release Pipeline Variable (see the next section)

Retrieve key vault value in Azure Release Pipeline Variable

Create a Variable Group In Library and Add Variables from Key Vault.

a. Go to the project in DevOps > Pipelines > Library

b. Create Variable Group

• Provide Variable Group Name & description
• Turn on Radio button of “Link secrets from an Azure key vault as variable” (bubble point 1 in below image)

c. Provide necessary information about Azure Subscription & Key Vault Name

d. Click on Add at bottom to add secrets as variables (bubble point 2 in the above image).
e. Now you can use this variable in your release pipeline to replace value in config or appsetting file during deployment.