2

I am building an azure devops template that is triggered from different teams main pipeline. During release stage, we are fetching secrets from Azure Keyvault using the AzureKeyVault@1 task and all secrets are downloaded and stored as output variables in the current stage based in the logs output:

##[debug]set secretKey-blabla-password=********
##[debug]Processed: ##vso[task.setvariable variable=secretKey-blabla-password;issecret=true;]***

After this task completes, I want to enumerate in a subsequent bash task all variables which start with specific name (as the number of secrets will change depending on the team, but will follow a specific naming convention).

Then I try to retrieve all the variables in the next task using:

 - task: Bash@3
          displayName: Generate deployment secrets
          inputs:
            targetType: "inline"
            script: |
                  env | sort ##Tried also with compgen -v

When I run the pipeline the KV secrets are fetched correctly and when the next task starts the debug shows all the vars retrieved from the secret are loaded

##[debug]loading SECRET_SECRETKEY-BLABLA-PASSWORD

But when I try to print all vars in the agent I only get the env vars or any other task output var generated, but not the ones from the KV.

I know it works with a explicit input definition for this vars in the bash task, but my problem is the name and number of secret variables will depend on the team executing the template. That's why I would like to get all secret exported vars and then based on pattern filtering dump this values in a specific k8s secret deployment file

Any ideas if this can be done like this or using an alternative method?

Thanks

Improve this question
2
  • You mentioned that you mapped your secrets into output variables right? Can you show us how you do that? Secrets by default are not mapped into env variable and you need explicit mapping for that. Just checking if you know that. Commented Nov 19, 2020 at 10:20
  • actually I did not map anything, but the debug output of the Keyvault@1 task shows that the fetched secrets are mapped into output vars (first code snippet above). I assumed these secrets are mapped to output vars based in this task output Commented Nov 19, 2020 at 10:23

1 Answer 1

Reset to default
1

All variables from KV are considered as secrets thus you will not get them avialble as env variables. To have them available as env variables you have to mapped them explicitly as this:

- task: PowerShell@2
  env:
   PIPELINE_SCOPED_SECRET_VAR: $(secret1FromKV) 
   SECRET_VAR_IN_VARIABLE_GROUP: $(secret2FromKV)

Thus it would be difficult to achieve your task if you have different set of variables. And I would advice rather to do not do that because you reveal sth what suppose to remain secret. But if you need this please consider azure cli and azure cli task to fetch your variables.

And this is not possible to define it globally.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes, probably this will be easier to achieve using a combination of az keyvault secret list into an object and then filtering based on the secret naming pattern and create the outputVars in an iteration.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.