Azure DevOps Plugin

Prerequisites

  1. Add the Vault Interaction task to your organization from here: https://marketplace.visualstudio.com/items?itemName=Fizcko.azure-devops-vault-interaction

  2. Create your pipeline if it doesn’t exist: https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Cyaml%2Cbrowser%2Ctfs-2018-2

Configuration

  1. Edit your pipeline as follows:

a. Add Vault - Read KV Secrets task.

b. Under Vault Server Settings: add Akeyless host as your Vault URL: https://hvp.akeyless.io

c. Under Authentication Method: choose Client Token and provide the Akeyless token:

The Token value can be a concatenation of your Access ID and your Access Key for an API Key authentication in the following format: < Access ID >".."< Access Key >. And can be used more securely as an environment variable.

Alternatively, you can extract your token using Akeyless auth command:

akeyless auth --access-id <Access ID>  --access-type <Auth method type>

d. For Static Secrets edit your KV Settings:

(I) For KV engine path set secret/data. KV version should be set to v1 and Secret path should contain your secret full path in Akeyless.

(ii) The final task should look like this:

- task: [email protected]
 inputs:
   strUrl: 'https://hvp.akeyless.io'
   ignoreCertificateChecks: true
   strAuthType: 'clientToken'
   strToken: 'access_id..access_key'
   strKVEnginePath: '/secret/data'
   kvVersion: 'v1'
   strSecretPath: '/test'
   strPrefixType: 'custom'
   replaceCR: 'false'

(iii) After running your pipeline you’ll see this input in VaultReadKV step:

941941

e. For Dynamic Secret edit your KV Settings:

(i) For KV engine path set mysql/creds. KV version should be set to v1 and Secret path should contain your secret full path in Akeyless.

(ii) The final task should look in this fashion:

- task: [email protected]
 inputs:
   strUrl: 'https://hvp.akeyless.io'
   ignoreCertificateChecks: false
   strAuthType: 'clientToken'
   strToken: 'access_id..access_key'
   strKVEnginePath: 'mysql/creds'
   kvVersion: 'v1'
   strSecretPath: '/test'
   strPrefixType: 'custom'
   replaceCR: false

(iii) Add a script block for using the mysql credentials:

- script: |
   mysql --host XXXXX --port 3306 --user=$(username) --password='$(password)' -e 'show databases;'
 displayName: 'Show Databases in DB'

(iv) After running your pipeline, you’ll see this input in Show Databases in DB step:

757757

Did this page help you?