DEV Community

Cover image for Fetch secrets with no access to key vault using Devops pipelines
Arindam Mitra
Arindam Mitra

Posted on • Updated on

Fetch secrets with no access to key vault using Devops pipelines

#azure #devops #powershell #iac

Greetings my fellow Technology Advocates and Specialists.

USECASE INTRODUCTION:-

Azure Key Vault is Protected by "Access Policies" and "Firewall and Virtual Networks". An Azure Cloud Engineer Cannot Fetch Secrets because of one of the condition or both (Depending upon the Scenerio).

PROBLEM STATEMENTS:-
  1. User Account of Cloud Engineer is not part of Key Vault Access Policy. Hence Secrets cannot be viewed from Azure Portal.
  2. Key Vault is Protected by Organization's Public NAT IPs. Secrets cannot be viewed from Azure Portal unless Cloud Engineer is working from inside Organization Network.
  3. Key Vault is Protected by Azure Virtual Network. Secrets cannot be viewed from Azure Portal unless inside Azure Virtual Network.
QUESTION TIME:-

How will the Cloud Engineer Fetch Secrets ?

LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation in WELSH AZURE GROUP Forum/Platform
Duration of My Demo = 32 Mins 38 Secs
Start and End Time = 00:39:22 to 01:12:00

REQUIREMENTS:-
  1. Azure Key Vault
  2. Three Sample Secrets in Azure Key Vault
  3. Azure Resource Manager Service Connection
  4. Azure DevOps Pipeline (YAML)
NOTE:-

The Service Principal (which is required to Create Service Connection) should at minimum have GET and LIST Access Policy Permissions in Azure Key Vault.

BELOW DISPLAYS THE SAMPLE SECRETS IN KEY VAULT:-
Image description
WHAT DOES THE PIPELINE DO:-
# PIPELINE TASKS
1. AZURE KEY VAULT TASKS
2. FETCH ALL SECRETS AND STORE IT IN A TEXT FILE
3. COPY THE SECRETS TEXT FILE TO ARTIFACTS STAGING DIRECTORY
4. PUBLISH THE ARTIFACTS
CODE REPOSITORY:-

GitHub logo arindam0310018 / 14-Apr-2022-DevOps__Fetch-Secrets-With-No-Access-To-KeyVault

FETCH SECRETS WITH NO ACCESS TO KEY VAULT USING DEVOPS PIPELINES

FETCH SECRETS WITH NO ACCESS TO KEY VAULT USING DEVOPS PIPELINES

Greetings my fellow Technology Advocates and Specialists.

USECASE INTRODUCTION:-
Azure Key Vault is Protected by "Access Policies" and "Firewall and Virtual Networks". An Azure Cloud Engineer Cannot Fetch Secrets because of one of the condition or both (Depending upon the Scenerio).
PROBLEM STATEMENTS:-
  1. User Account of Cloud Engineer is not part of Key Vault Access Policy. Hence Secrets cannot be viewed from Azure Portal.
  2. Key Vault is Protected by Organization's Public NAT IPs. Secrets cannot be viewed from Azure Portal unless Cloud Engineer is working from inside Organization Network.
  3. Key Vault is Protected by Azure Virtual Network. Secrets cannot be viewed from Azure Portal unless inside Azure Virtual Network.
QUESTION TIME:-
How will the Cloud Engineer Fetch Secrets ?
LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation in WELSH AZURE GROUP
View on GitHub
Below follows the contents of the YAML File (Azure DevOps):- 
trigger:
  none

######################
#DECLARE VARIABLES:-
######################
variables:
  ServiceConnection: amcloud-cicd-service-connection
  KVName: ampockv
  Artifact: AM

#########################
# Declare Build Agents:-
#########################
pool:
  vmImage: windows-latest

###################
# Declare Stages:-
###################
stages:

- stage: USECASE_DISPLAY_ALL_SECRETS_AND_VALUES
  jobs:
  - job: DISPLAY_SECRETS_AND_VALUES
    displayName: DISPLAY SECRETS AND VALUES
    steps:

########################################################################
# Azure Key Vault Task.
# Display the name of Key Vault.
# Display the No. of Secrets found in Key Vault.
# Display the No. of enabled and unexpired Secrets found in Key Vault.
# Downloads values of Each Secret in Key Vault.
########################################################################

    - task: AzureKeyVault@2
      displayName: AZ KEYVAULT TASK
      inputs:
        azureSubscription: '$(ServiceConnection)'
        KeyVaultName: '$(KVName)'
        SecretsFilter: '*'
        RunAsPreJob: false

#######################################################
# Integers can be compared with these operators:
#   -eq # Equal
#   -ne # Not equal
#   -lt # Less than
#   -le # Less than or equal
#   -gt # Greater than
#   -ge # Greater than or equal
#######################################################

###############################################################
# Copy the Secrets text file to Artifacts Staging Directory:-
###############################################################

    - task: AzureCLI@2
      displayName: FETCH ALL SECRETS
      inputs:
        azureSubscription: '$(ServiceConnection)'
        scriptType: ps
        scriptLocation: inlineScript
        inlineScript: |
          az --version
          az account show
          $count = az keyvault secret list --vault-name $(KVName) --query "[] | length(@)"
          For ($i=0; $i -lt $count; $i++) {
          $secretname = az keyvault secret list --vault-name $(KVName) --query [$i].name -o tsv
          $secretvalue = az keyvault secret show --vault-name $(KVName) --name $secretname --query value -o tsv
          echo ($secretname + ':' + $secretvalue) >> Secrets.txt
          }
###############################################################
# Copy the Secrets text file to Artifacts Staging Directory:-
###############################################################

    - task: CopyFiles@2
      displayName: COPY TO ARTIFACTS STAGING DIRECTORY
      inputs:
        Contents: Secrets.txt
        targetFolder: '$(Build.ArtifactStagingDirectory)'

###########################
# Publish the Artifacts:-
###########################

    - task: PublishBuildArtifacts@1
      displayName: PUBLISH ARTIFACTS
      inputs:
        PathtoPublish: '$(Build.ArtifactStagingDirectory)'
        ArtifactName: '$(Artifact)'
        publishLocation: 'Container'
Enter fullscreen mode Exit fullscreen mode
Values of the VARIABLES incase if you wish to change:- 
######################
#DECLARE VARIABLES:-
######################
variables:
  ServiceConnection: amcloud-cicd-service-connection
  KVName: ampockv
  Artifact: AM
Enter fullscreen mode Exit fullscreen mode
Change the Agent Pool from MICROSOFT HOSTED BUILD AGENT to SELF HOSTED BUILD AGENT otherwise, below error is encountered:-
Image description
PIPELINE RESULTS:-
Image description
SECRETS TEXT FILE PUBLISHED IN ARTIFACTS:-
Image description
Image description
DOWNLOAD AND VIEW THE SECRETS TEXT FILE:-
Image description
The Output Format in Secrets Text file is [NAME OF THE SECRET]:[VALUE OF THE SECRET]

Top comments (0)

Read next

grzegorzgrzegorz profile image

Mocking with Groovy

grzegorzgrzegorz -

himora22 profile image

Creating a Linux Virtual Machine in Azure

Seun Okegbola -

thomastaylor profile image

Applying event filters to AWS Lambda Functions with the AWS CDK

Thomas Taylor -

oatula profile image

Docker

Atul Anand Oraon -