0

I'm facing an issue with my Azure DevOps pipeline where I can successfully retrieve one secret from Azure Key Vault, but not the others. Specifically, I'm able to retrieve one secret, but when I try to retrieve other secrets, they are not being set correctly in the pipeline.

My Setup

  1. Azure Key Vault Configuration:

    • I have multiple secrets stored in Azure Key Vault (my-keyvault).
    • The secrets include:
      • SecretOne
      • SecretTwo
      • SecretThree
      • SecretFour

  2. Access Policies:

    • The service principal used by Azure DevOps has Get and List permissions for secrets.

  3. Azure DevOps Pipeline Configuration:

    • The pipeline is configured to retrieve secrets using the AzureKeyVault@1 task.
    • I verified that the service principal has the correct access permissions.

Pipeline Script

Here is the simplified version of my pipeline script for testing secret retrieval:

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'my-azure-subscription'
    KeyVaultName: 'my-keyvault'
    SecretsFilter: 'SecretOne,SecretTwo,SecretThree,SecretFour'
    RunAsPreJob: true

- script: |
    echo "SecretOne: ${SecretOne}"
    echo "SecretTwo: ${SecretTwo}"
    echo "SecretThree: ${SecretThree}"
    echo "SecretFour: ${SecretFour}"
  displayName: 'Print Secrets for Verification'

Issue

  • The secret SecretOne is correctly retrieved and printed.
  • The other secrets (SecretTwo, SecretThree, and SecretFour) are not being retrieved and printed.

Debugging Steps Taken

  1. Verified Access Policies:

    • Confirmed that the service principal has Get and List permissions in the Key Vault.

  2. Checked Secret Names:

    • Ensured that the secret names are correctly specified and match exactly, including case sensitivity.

  3. Tested with Azure CLI:

    • Verified that all secrets can be retrieved using Azure CLI commands.

Request for Help

I need assistance in understanding why only one secret is being retrieved successfully while the others are not. Any insights or suggestions on what might be going wrong and how to fix this issue would be greatly appreciated.

Thank you in advance for your help!

Improve this question
8
  • I'd suggest you use AzureKeyVault@2 instead of AzureKeyVault@1 Commented Jun 2, 2024 at 15:42
  • Can you run the pipeline in Diagnostics mode (checkbox in the bottom left corner when you queue a new build) and paste the logs here? Commented Jun 2, 2024 at 15:44
  • What happens if you use round brackets $(SecretXXX) instead of curly brackets ${SecretXXX}? Commented Jun 2, 2024 at 15:48
  • which part of the logs would you like me to share? I do not want to expose any of my company's details. Will try the round brackets. Commented Jun 2, 2024 at 15:55
  • I used round brackets and tried to access two secrets and only secret1 is returning, not secret2 value. I also am using now KeyVault@2. Commented Jun 2, 2024 at 15:57

1 Answer 1

Reset to default
1

Azure Pipelines makes an effort to mask secrets when emitting data to pipeline logs, so you may see additional variables and data masked in output and logs that are not set as secrets.

This is by design, as you don't want sensitive information being exposed in the logs.

Example:

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'repo-kv-demo'
    KeyVaultName: 'kv-demo-repo'
    SecretsFilter: 'secretDemo'
    RunAsPreJob: true

# other tasks here

- bash: |
    echo "Secret Found! $MY_MAPPED_ENV_VAR"        
  env:
    MY_MAPPED_ENV_VAR: $(secretDemo)

The output from the bash command should look like this:

Secret Found! ***
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

============================================================================== Generating script. Script contents: echo "Secret Found! $MY_MAPPED_ENV_VAR" ========================== Starting Command Output =========================== /usr/bin/bash /home/vsts/work/_temp/8beed5-4d1f-4aba-a1ab-9ade27ab0e.sh Secret Found! ***
I tried with Secret2 and it says found.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.