Azure DevOps Plugin
To install this plugin you'll have to add the Vault Interaction task to your organization using this link.
Configuration & Usage
In your project, under Pipelines, select the relevant pipeline and click "Edit".
- Search for the "Vault - Read KV Secrets" Task, select it and configure it as follows:
Under Vault Server Settings: add the following Akeyless host as your Vault URL: https://hvp.akeyless.io
, to work with your own Akeyless Gateway set the Vault URL URL of your Gateway HVP endpoint: https://Your-Gateway-URL:8000/hvp
(or using your gateway url at port 8200)
Note
Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here
Under Authentication Method: choose Client Token and provide the Akeyless token following this format:
The Token value can be a concatenation of your Access ID and your Access Key for an API Key authentication in the following format: < Access ID >".."< Access Key >
. And should be used more securely as an environment variable.
Alternatively, to work with any other Authentication Methods you can extract your token using Akeyless auth
command:
akeyless auth --access-id <Access ID> --access-type <Auth method type>
To work with Static Secrets edit the following KV Settings:
For KV engine path, set secret/data
. KV version should be set to v1
and Secret path should contain your secret full path in Akeyless.
The final task should look like this:
- task: VaultReadKV@2
inputs:
strUrl: 'https://hvp.akeyless.io'
ignoreCertificateChecks: true
strAuthType: 'clientToken'
strToken: 'access_id..access_key'
strKVEnginePath: '/secret/data'
kvVersion: 'v1'
strSecretPath: '/test'
strPrefixType: 'custom'
replaceCR: 'false'
After running your pipeline, you’ll see this input in the VaultReadKV step:
To fetch Dynamic Secrets edit the following KV Settings:
For KV engine path set mysql/creds
. KV version should be set to v1
and Secret path should contain your secret full path in Akeyless.
The final task should look in this fashion:
- task: VaultReadKV@2
inputs:
strUrl: 'https://hvp.akeyless.io'
ignoreCertificateChecks: false
strAuthType: 'clientToken'
strToken: 'access_id..access_key'
strKVEnginePath: 'mysql/creds'
kvVersion: 'v1'
strSecretPath: '/test'
strPrefixType: 'custom'
replaceCR: false
Add a script block for using the mysql credentials:
- script: |
mysql --host XXXXX --port 3306 --user=$(username) --password='$(password)' -e 'show databases;'
displayName: 'Show Databases in DB'
After running your pipeline, you’ll see this input in Show Databases in DB step:
Updated 24 days ago