I have Mesosphere DC/OS installed on Azure cluster, running tomcat apps as services, those services are configured using JSON files holding the ports and passwords of the apps. My Manager wants to use Azure Key Vault to store the passwords and secrets of the apps, i created the vault and stored in it the secrets i need.
This is a part of my JSON values which i need to replace: (i cut only the fields with the values i want to replace from the Vault)
"APP_ACCESS_SERVICE_PASSWORD": "AppPW",
"CASSANDRA_DB_PASSWORD": "App_uat_PW",
"UAMS_ORACLE_PASSWORD": "App_uat_PW",
"PUBLISH_DB_PASSWORD": "ogw",
"App-PUBLISH_DB_PASSWORD": "App_uat1",
"EMP_DB_PASSWORD": "App_uat1",
How can i replace the passwords in my JSON with the values in the key vault ? i mean putting a URL to the password instead of the password is not an option, any Idea how can i input the values in the key vault into the JSON instead of the static values ? From Azure documentation i see that i can access the values using URL, for example: https://Contoso-Vault2.vault.azure.net/secrets/ExamplePassword but using URL instead of the value is not an option. (it won't work)
I assume you have a pipeline but here's how you could do it.
First create your secrets in your desired key vault. I have created an app using Python and the Azure sdk which lets you create multiple secrets in a key vault very easily - https://github.com/TechyTish/AzurePy/blob/main/create-azure-secrets-README.md
lets say your secrets are stored as (secretName: secretValue):
... etc
#filename: example.json
"APP_ACCESS_SERVICE_PASSWORD": "{#appAccessServicePW#}",
"CASSANDRA_DB_PASSWORD": "{#cassandraDB#}",
"UAMS_ORACLE_PASSWORD": "{#uamsOraclePW#}",
"PUBLISH_DB_PASSWORD": "{#publishDBPW#}",
"App-PUBLISH_DB_PASSWORD": "{#appPublishPW#}",
"EMP_DB_PASSWORD": "{#empDBPW#}",
Create a YAML pipeline which will have 2 tasks:
#filename: azure-pipeline.yml
# Azure Key Vault
# Download Azure Key Vault secrets
- task: AzureKeyVault@2
inputs:
connectedServiceName: # Azure subscription - you will need to create an service connection in the repo which has access policies to the keyvault
keyVaultName: # Name of existing key vault
secretsFilter: '*' # Downloads all secrets for the key vault
runAsPreJob: true # Runs before the job starts
Underneath the previous task add another one. This looks for any key value with the {# pre-fix and #} suffix in the .json file and the variables (below) after this task will replace the value in the .json file with the value of the secrets you assigned it.
#filename: azure-pipeline.yml
- task: qetza.replacetokens.replacetokens-task.replacetokens@3
inputs:
targetFiles: "$(Pipeline.Workspace)/codepath/jsonFileName.json"
encoding: "auto"
writeBOM: true
verbosity: "detailed"
actionOnMissing: "warn"
keepToken: false
tokenPrefix: "{#"
tokenSuffix: "#}"
displayName: Perform variable substitution in json file
- script: echo "$(<folderName/example.json)" #open json file in the terminal to show the changes
#.json value: point to secret name
variables:
appAccessServicePW: $(appAccessService)
cassandraDB: $(cassandraDB)
#....
#etc
Run the pipeline (tick the box for debugging) and your output of .json file should be:
#filename: appsettings.json
"APP_ACCESS_SERVICE_PASSWORD": "1234",
"CASSANDRA_DB_PASSWORD": "hello567"
#....
#etc
This way the only time your secrets are revealed is when the pipeline is run on whichever host agent (virtual machine) you use.