Access Azure KeyVault within an App from Azure DevOps Release Pipeline
At some point it might be necessary to get an authentication token for Azure to be able to access a Key Vault from a Release Pipeline, for example, an application that needs to retrieve a database connection string to perform certain operation when deploying an app. We could use an Azure KeyVault task that retrieves the desired secrets and then get that to the app through an environment variable. In this case we are going to see how to do it from the application itself using an access token.
Code in .NET Project
You need to add the possibility to authenticate to an Azure Key Vault using an Access Token:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
using System;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;
public void ConfigureKeyVault(ConfigurationBuilder builder, string KeyVaultName)
{
string azureKeyVaultUrl = $"https://{KeyVaultName}.vault.azure.net/";
string accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
AzureKeyVaultConfigurationOptions conf = new AzureKeyVaultConfigurationOptions()
{
Vault = azureKeyVaultUrl,
Client = new KeyVaultClient(async (string a, string r, string s) => accessToken)
};
builder.AddAzureKeyVault(conf);
}
Release Pipeline
Let’s assume you already have your Release Pipeline, just before the task where we run our app that needs to access the KeyVault, we must add a task Azure CLI, we will name it Retrieve AccessToken. In Azure Resource Manager connection we will specify the connection to use that has permission to access the KeyVault, if you are an administrator of the project you can go to the Settings from the left sidepanel, then go to Service Connections and from there configure a connection, which is out of the scope of this tutorial. In Script Type choose Shell and in Script Location choose Inline script, then on the text area that appears below paste the following:
1
2
3
sudo apt install -y jq
echo "##vso[task.setvariable variable=token;isOutput=true;]$(az account get-access-token --resource=https://vault.azure.net | jq -r .accessToken)"
If the Azure Resource Manager connection has enough privileges it should retrieve the access token. Finally go to the Output Variables section of this task, and on Reference name type AccessToken. This is the variable name we will use to pass it to the next task. Another important point here is the task.setvariable variable=token, here we are defining a token variable which we can use later on to retrieve the access token.
Then on your Run migrator task go to the Environment Variables section, add a new variable access_token whose value is $(AccessToken.token), if you look closely, you can see we are accessing token (which we defined in our inline script) of the AccessToken variable (which we defined in Output Variables of the previous task).
If you are running this through Docker, make sure to pick up this variable and pass it to the container when you start it up, ACCESS_TOKEN=${access_token} should be defined in your environment section of your docker-compose file, this will pass the access_token environment variable of your pipeline to the ACCESS_TOKEN environment variable inside the container, which the application will access later as we saw on the .NET code snippet in the previous section:
1
2
3
4
5
6
7
8
9
10
11
12
13
version: '3.7'
services:
database-migrator:
image: ${DOCKER_REGISTRY-}migrator
container_name: migrator_container
build:
context: ../../
dockerfile: src/DbMigrator/Dockerfile
environment:
- DOTNET_ENVIRONMENT=${dotnet_env}
- ACCESS_TOKEN=${access_token}