Azure DevOps Plugin
Prerequisites
-
Add the Vault Interaction task to your organization from here: https://marketplace.visualstudio.com/items?itemName=Fizcko.azure-devops-vault-interaction
-
Create your pipeline if it doesn’t exist: https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Cyaml%2Cbrowser%2Ctfs-2018-2
Configuration
- In your project, under Pipelines, select the relevant pipeline and click "Edit".
a. Search for the "Vault - Read KV Secrets" Task, select it and configure it as follows:
(i) Under Vault Server Settings: add the following Akeyless host as your Vault URL: https://hvp.akeyless.io
(ii) Under Authentication Method: choose Client Token and provide the Akeyless token following this format:
The Token value can be a concatenation of your Access ID and your Access Key for an API Key authentication in the following format: < Access ID >".."< Access Key >
. And should be used more securely as an environment variable.
Alternatively, you can extract your token using Akeyless auth
command:
akeyless auth --access-id <Access ID> --access-type <Auth method type>
Click Add.
b. For Static Secrets edit the following KV Settings:
(i) For KV engine path set secret/data
. KV version should be set to v1
and Secret path should contain your secret full path in Akeyless.
(ii) The final task should look like this:
- task: [email protected]
inputs:
strUrl: 'https://hvp.akeyless.io'
ignoreCertificateChecks: true
strAuthType: 'clientToken'
strToken: 'access_id..access_key'
strKVEnginePath: '/secret/data'
kvVersion: 'v1'
strSecretPath: '/test'
strPrefixType: 'custom'
replaceCR: 'false'
(iii) After running your pipeline you’ll see this input in VaultReadKV step:

c. For Dynamic Secrets edit the following KV Settings:
(i) For KV engine path set mysql/creds
. KV version should be set to v1
and Secret path should contain your secret full path in Akeyless.
(ii) The final task should look in this fashion:
- task: [email protected]
inputs:
strUrl: 'https://hvp.akeyless.io'
ignoreCertificateChecks: false
strAuthType: 'clientToken'
strToken: 'access_id..access_key'
strKVEnginePath: 'mysql/creds'
kvVersion: 'v1'
strSecretPath: '/test'
strPrefixType: 'custom'
replaceCR: false
(iii) Add a script block for using the mysql credentials:
- script: |
mysql --host XXXXX --port 3306 --user=$(username) --password='$(password)' -e 'show databases;'
displayName: 'Show Databases in DB'
(iv) After running your pipeline, you’ll see this input in Show Databases in DB step:
Updated 2 months ago