Use Azure Key Vault secrets in your Pipeline

1. Sign in to the Azure portal, and then select Create a resource.

2. Under Key Vault, select Create to create a new Azure Key Vault.

3. Select your Subscription from the dropdown menu, and then select an existing Resource group or create a new one. Enter a Key vault name, select a Region, choose a Pricing tier, and select Next if you want to configure additional properties. Otherwise, select Review + create to keep the default settings.

4. Once the deployment is complete, select Go to resource.

1. First, set your default region and Azure subscription:

   • Set default subscription:

   az account set --subscription <your_subscription_name_or_subscription_ID>
   

   • Set default region:

   az config set defaults.location=<your_region>
   

2. Create a new resource group to host your Azure Key Vault. A resource group is a container that holds related resources for an Azure solution:

   az group create --name <your-resource-group>
   

3. Create a new Azure Key Vault:

   az keyvault create \
     --name <your-key-vault-name> \
     --resource-group <your-resource-group>
   

Create a user-assigned managed identity

1. Sign in to the Azure portal, then search for the Managed Identities service in the search bar.

2. Select Create, and fill out the required fields as follows:

   • Subscription: Select your subscription from the dropdown menu.
   • Resource group: Select an existing resource group or create a new one.
   • Region: Select a region from the dropdown menu.
   • Name: Enter a name for your user-assigned managed identity.

3. Select Review + create when you're done.

4. Once the deployment is complete, select Go to resource, then copy the Subscription and Client ID, you'll need them in the next steps.

5. Navigate to Settings > Properties, and copy your managed identity's Tenant ID to use later.

Set up key vault access policies

1. Navigate to Azure portal, and use the search bar to find the key vault you created earlier.

2. Select Access policies, then select Create to add a new policy.

3. Under Secret permissions, select the Get and List checkboxes.

4. Select Next, then paste the Client ID of the managed identity you created earlier into the search bar.

5. Select your managed identity, select Next, then Next once more.

6. Review your new policy, and then select Create when you're done.

Create a service connection

1. Sign in to your Azure DevOps organization, and then navigate to your project.

2. Select Project settings > Service connections, and then select New service connection.

3. Select Azure Resource Manager, then select Next.

4. Under Identity Type, select Managed identity from the dropdown menu.

5. For Step 1: Managed identity details, fill out the fields as follows:

   • Subscription for managed identity: Select the subscription that contains your managed identity.

   • Resource group for managed identity: Select the resource group where your managed identity is hosted.

   • Managed Identity: Select your managed identity from the dropdown menu.

6. For Step 2: Azure Scope, fill out the fields as follows:

   • Scope level for service connection: Select Subscription.

   • Subscription for service connection: Select the subscription your managed identity will access.

   • Resource group for Service connection: (Optional) Specify this if you want to restrict access to a specific resource group.

7. For Step 3: Service connection details:

   • Service connection name: Provide a name for your service connection.

   • Service Management Reference: (Optional) Include context information from an ITSM database.

   • Description: (Optional) Add a description.

8. Under Security, check the Grant access permission to all pipelines box to allow all pipelines to use this service connection. If you leave this unchecked, you’ll need to manually grant access for each pipeline.

9. Select Save to validate and create the service connection.

   

Create a service principal

In this step, you'll create a new service principal in Azure so that your Azure Pipelines can access Azure Key Vault.

1. Navigate to Azure portal, then select the >_ icon from the top menu to open the Cloud Shell.

2. Select either PowerShell or Bash depending on your preference.

3. Run the following command to create a new service principal:

   az ad sp create-for-rbac --name YOUR_SERVICE_PRINCIPAL_NAME
   

4. After the command runs, you’ll get an output similar to the following. Copy and save the output, you’ll need it to create a service connection in the next step.

   {
     "appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
     "displayName": "MyServicePrincipal",
     "password": "***********************************",
     "tenant": "aaaabbbb-0000-cccc-1111-dddd2222eeee"
   }
   

Create a service connection

1. Sign in to your Azure DevOps organization, and then navigate to your project.

2. Select Project settings, and then select Service connections.

3. Select New service connection, select Azure Resource Manager, and then select Next.

4. Select Service principal (manual), and then select Next.

5. Under Identity Type, select App registration or managed identity (manual).

6. Under Credential, select Workload identity federation.

7. Provide a name for your service connection, and then select Next.

8. Copy the Issuer and the Subject identifier values. You'll need them in the next step.

9. For Environment, Select Azure Cloud and for Subscription scope select Subscription.

10. Enter your Azure Subscription ID and Subscription name.

11. Under Authentication, paste your service principal's Application (client) ID and Directory (tenant) ID

12. In the Security section, check the Grant access permission to all pipelines box to allow all pipelines to use this service connection. If you skip this, you’ll need to manually grant access per pipeline.

13. Leave this page open, you’ll come back to complete it after you've (1) created the federated credential in Azure and (2) granted your service principal Read access at the subscription level.

    

Create a federated credential in Azure

1. Navigate to Azure portal, then use the search bar to find your service principal by entering its ClientID. Select the matching Application from the results.

2. Under Manage, select Certificates & secrets > Federated credentials.

3. Select Add credential, then for Federated credential scenario, select Other issuer.

4. In the Issuer field, paste the Issuer value you copied from your service connection earlier.

5. In the Subject identifier field, paste the Subject identifier you copied earlier.

6. Enter a Name for your federated credential, and then select Add when you're done.

   

Add role assignment to your subscription

Before you can verify the connection, you need to grant the service principal Read access at the subscription level:

1. Navigate to Azure portal

2. Under Azure services, select Subscriptions, and then find and select your subscription.

3. Select Access control (IAM), and then select Add > Add role assignment.

4. Under the Role tab, select Reader, and then select Next.

5. Select User, group, or service principal, and then select Select members.

6. In the search bar, paste your service principal's Object ID, select it, then click Select.

7. Select Review + assign, review your settings, and then select Review + assign again to confirm.

8. Once the role assignment is added. go back to your service connection in Azure DevOps and select Verify and Save to save your service connection.

Configure Key Vault access policies

1. Navigate to the Azure portal, find the key vault you created earlier, and then select Access policies.

2. Select Create, then under Secret permissions add both the Get and List permissions, and then select Next.

3. Under Principal, paste your service principal's Object ID, select it, and then select Next.

4. Select Next again, review your settings, and then select Save to apply the new policy.