azureazure-pipelinesazure-keyvaultazure-yaml-pipelines

Referencing Azure Key Vault secrets from CI/CD YAML


We have a multi-stage YAML pipeline that does CI/CD to an existing set of Azure Resources

The stages are

  1. Build
  2. Deploy to Development and Run Tests
  3. If Previous succeeded - Deploy to Production and Run Tests

We use the AzureRmWebAppDeployment task during the deployment stages and we use the AppSettings argument to that task to specify environment-specific settings. For example

- task: AzureRmWebAppDeployment@4
      displayName: 'Deploy Azure App Service'
      inputs:
        azureSubscription: '$(azureSubscriptionEndpoint)'
        appType: '$(webAppKind)'
        WebAppName: 'EXISTING__AZURE_RESOURCENAME-DEV'
        Package: '$(Pipeline.Workspace)/**/*.zip'
        AppSettings: >
          -AzureAd:CallbackPath /signin-oidc
          -AzureAd:ClientId [GUID was here]
          -AzureAd:Domain [domain was here]
          -AzureAd:Instance https://login.microsoftonline.com/ 
          -AzureAd:TenantId [Id was here]
          -EmailServer:SMTPPassword SECRETPASSWORD
          -EmailServer:SMTPUsername SECRETUSERNAME

There are two settings in that set, EmailServer: SMTPUsername and EmailServer: SMTPPassword that I want to pull from an Azure KeyVault. I know how to reference the KV secret from Azure Portal using the syntax

@Microsoft.KeyVault(SecretUri=https://our.vault.azure.net/secrets/SendGridPassword/ReferenceGuidHere)

but how do I reference the value from the YAML pipeline so it is set in Azure?


Solution

  • As pointed out by Thomas in this comment, Referencing Azure Key Vault secrets from CI/CD YAML

    I can explicitly set the value in the YAML file like this:

    -EmailServer:SMTPPassword @Microsoft.KeyVault(SecretUri=https://our.vault.azure.net/secrets/SendGridPassword/ReferenceGuidHere)