Azure DevOps Plugin

Suggest Edits

Prerequisites

  1. Add the Vault Interaction task to your organization from here: https://marketplace.visualstudio.com/items?itemName=Fizcko.azure-devops-vault-interaction

  2. Create your pipeline if it doesn’t exist: https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Cyaml%2Cbrowser%2Ctfs-2018-2

Configuration

  1. In your project, under Pipelines, select the relevant pipeline and click "Edit".

a. Search for the "Vault - Read KV Secrets" Task, select it and configure it as follows:

(i) Under Vault Server Settings: add the following Akeyless host as your Vault URL: https://hvp.akeyless.io

(ii) Under Authentication Method: choose Client Token and provide the Akeyless token following this format:
The Token value can be a concatenation of your Access ID and your Access Key for an API Key authentication in the following format: < Access ID >".."< Access Key >. And should be used more securely as an environment variable.

Alternatively, you can extract your token using Akeyless auth command: 

akeyless auth --access-id <Access ID> --access-type <Auth method type>

Click Add.

b. For Static Secrets edit the following KV Settings:

(i) For KV engine path set secret/data. KV version should be set to v1 and Secret path should contain your secret full path in Akeyless.

(ii) The final task should look like this:

- task: [email protected]
 inputs:
   strUrl: 'https://hvp.akeyless.io'
   ignoreCertificateChecks: true
   strAuthType: 'clientToken'
   strToken: 'access_id..access_key'
   strKVEnginePath: '/secret/data'
   kvVersion: 'v1'
   strSecretPath: '/test'
   strPrefixType: 'custom'
   replaceCR: 'false'

(iii) After running your pipeline you’ll see this input in VaultReadKV step:

941

c. For Dynamic Secrets edit the following KV Settings:

(i) For KV engine path set mysql/creds. KV version should be set to v1 and Secret path should contain your secret full path in Akeyless.

(ii) The final task should look in this fashion:

- task: [email protected]
 inputs:
   strUrl: 'https://hvp.akeyless.io'
   ignoreCertificateChecks: false
   strAuthType: 'clientToken'
   strToken: 'access_id..access_key'
   strKVEnginePath: 'mysql/creds'
   kvVersion: 'v1'
   strSecretPath: '/test'
   strPrefixType: 'custom'
   replaceCR: false

(iii) Add a script block for using the mysql credentials:

- script: |
   mysql --host XXXXX --port 3306 --user=$(username) --password='$(password)' -e 'show databases;'
 displayName: 'Show Databases in DB'

(iv) After running your pipeline, you’ll see this input in Show Databases in DB step:

757

Updated 2 months ago