Store and Retrieve Secrets using Azure Key Vault

Owned by Jonathan Bailey (Unlicensed)
Last updated: Aug 14, 2019 by Diego Cesa de Meira (Unlicensed)
4 min read

 

eGIS uses Azure Key Vault to store secrets such as passwords. Only users who have been given access to a key vault can store and retrieve secrets from the key vault. This document describes how to store and retrieve secrets from an Azure Key Vault.

 

Retrieve a Secret using Azure Portal

  1. Open the Microsoft Azure Portal.

  2. In the search box, type Key Vault.

  3. Click Key Vaults in the results list.

     

  4. Click EgisKeyVault to open the eGIS key vault. EgisKeyVault is in the TC-Script-ArcGIS-RG resource group in the TC-Sandbox subscription.

     

  5. Underneath Settings, click Secrets.

     

  6. In the list of secrets, click the name of the secret that you want to retrieve.

     

  7. Underneath Current Version, click the instance of the secret.

     

  8. Click Show Secret Value to reveal the secret value. Alternatively, click the Copy icon to copy the secret’s value to the clipboard.

Create a Secret using Azure Portal

  1. Follow steps 1 through 5 above to open the Secrets blade of EgisKeyVault.

  2. Click Generate/Import.

     

  3. Specify a Name and Value for the new secret.

  4. Click Create.

     

The new secret is created in the key vault.

Retrieve a Secret in a DevOps Pipeline

In some cases, it may be necessary to retrieve a secret, such as a password, from within an Azure DevOps pipeline.

Add the Secret to the Pipeline Library

In eGIS DevOps, a library for eGIS passwords has been created. It allows tasks within Azure DevOps pipelines to use secrets from EgisKeyVault.

  1. In Azure DevOps portal, expand the Pipelines menu, then click Library.

     

  2. Click the EGIS passwords variable group.

     

  3. In the list of variables, check if the secret that you want to retrieve is already present. If not, click Add.

     

  4. Check the boxes next to the names of the secrets that you wish to retrieve, then click OK.

     

  5. Click Save.

     

  6. In your release pipeline, click the Variables tab.

     

  7. Click Variable Groups.

  8. Click Link variable group.

     

  9. Click EGIS passwords from the list of variable groups. By default, the variable group is available to the entire pipeline. To limit the scope to specific stages, click Stages, then choose the specific stages from the dropdown list.

     

  10. Click Link.

The secrets are now defined in the pipeline’s environment, and can be retrieved in several ways. Refer to the Azure Pipelines documentation on Variable Groups and Secrets for more information.

Retrieve a Secret in an Azure Python Function App

Refer to the documentation on Python Function Apps DevOps Pipelines for information on accessing an Azure Key Vault secret from wtihin an Azure Python Function App.