You are probably aware on how “secrets” work in AzureDevops. In a way, it’s simple: you can create variables, and store the value of the variable as a secret or not, simply by tapping the “lock” when creating a variable.
To share variables over multiple repos, you can create a variable group, and use that variable group in multiple pipelines.
Quite Easy! But …
Thing is – out-of-the-box variable-definition in DevOps – as far as I know – is “just” on project-level. We can define variables on a pipeline, we can pass to templates, we can create “global” variables and such … but sometimes, you need to be able to share a (secret) value, like license-key, over about all your projects. Or even across multiple DevOps organizations – however you chose to set it up.
Many partners have 1 DEV license key that expires every 90 days, so you might want to be able to share that license key over all your projects. The goal is: when you have a new key, there is just one place to change, and all your pipelines will keep running.
How do I share Secret variables over multiple projects?
Let me share you a simple way to do that, but first a disclaimer: it could very well be that I’m not aware of a built-in DevOps option to do this. Please let me know in the comments if that’s the case.
Step 1: Set up an Azure Key Vault in the Azure Portal
In Azure (yes, you’ll need access to the Azure Portal), you have “Azure Key Vault”.
Just create a new Key Vault:
Step 2: Create Secrets
Once you created your vault, you can simply navigate to it..
And start to create secrets:
As you can see, it’s simple: just a key/value pair basically:
The result is simply a list of secrets that you have now at your disposal.
To continue, let’s go back to DevOps…
Step 3: Create a variable group
As you might already know, variable groups can be linked to secrets in an Azure Key Vault. Since these are all secrets that we want to manage on a “high level”, it makes sense to take the highest level we can to manage variables in DevOps, and that’s: Variable Groups.
Step 4: Link it with Azure Keyvault
Make sure you link it with your Azure Key Vault (and Autorize the subscription, and the vault if necessary).
Done forget to add all secrets you want to make available in this project. By default, none of the secrets will be linked, you need “Add” them yourself!
Save, and done! Now, you will be able to …
Step 5: Use it in your pipelines
Here are a few examples on how to link it in your pipelines
And use it:
Do know, when running the pipeline, you might have to give access for this service connection. Simply permit it and run it – you need to do this only once.
If you ever want to delete/disable access to this subscription, do know it has basically created a service connection, which you can find in the project settings:
Just after I wrote this post, I happened to find this one: https://zimmergren.net/using-azure-key-vault-secrets-from-azure-devops-pipeline/ . Definitely worth a read, as it drills a bit more into the security considerations.. .
Great article! I’m big fan of Azure KeyVault service.
What exactly you typed in “Value” of Azure KeyVault secret? In what format? Do I correctly understand that under “DEV license key” you mean .flf file?
It’s basically a URL to a download, like Azure Blob, DropBox, anything.. which would download the license in the pipeline.
I get it 🙂 Thank you!