secrets.json/secrets.xml. There is another easy way of handling the secrets without hanging anything from the code like installing Nuget package/referring Azure Keyault in the code. Here we are going to use simple way in AzureDevOps Release pipeline and Deploy Azure App Service Task for managing all our secrets.
Create an Azure Key Vault and add all your secrets in the Key Vault. You can see the below reference on how to create secrets in azure key vault.
Now It’s time to do some magic in Azure DevOps
- We will create a new Azure Release Pipeline in Azure DevOps( You can see the below reference section on how to create a azure release pipeline)
- Hereafter all you need is a single task to add in the pipeline which is called “Azure App Service Deploy” and make sure who have the version 3.* (0r) higher – Please note that version is IMPORTANT HERE this will not work with the below version
- Now, we are going to bring our secrets from azure keyvault into our release pipeline through Variable groups.So, lets create a variable group
- It will open a new tab, from there you can create a new variable group.
- While creating the variable group,you need the enable the toggle bar called Link secrets from an Azure Key vault as variables – This lets you to access your azure subscription and key-vault like below
- Then you can add all your secrets in to the variable group using the Add button at the bottom. Once you added, this will look like below
- Save your variable group then come back into the previous tab where you can link the variable group into our pipeline.(like below)
- Now we can go into the Deploy Azure App Service Task and find the Application and configuration setting (Which will be available only from Ver 3.*)
This is place where we will assign the the values for our secrets from the variable groups,depends on your configuration like whether App Settings/Configuration settings m, you need to select and the menu and follow the below instruction
- Click the three dots menu from where you want to add configuration, for this demo I choose App Settings and start adding the config values which you need to retrieve from azure key vault
The Name column should be equal to your original config name and the value should be dollar ($) surrounded with the name of the secrets from the key vault (see below)
Here Deploy Azure App Task internally using powershell to retrieve the secrets from key vault, so we need to use $ for that.
- That’s it save all your works, and run the release pipeline. After the run, you can see the below steps in the logs, where pipeline will download the secrets from key vault into the variable group during only the run-time, also it was not able to view as naked in the logs
If you click the Deploy Azure App Service logs and look closely at the end of it, you can find that our configuration values are getting updated.
Let’s verify that our actual values are getting updated in the azure portal.
And there is it , we deployed our App without worrying about the secrets.
- Creating secrets in Azure Key Vault- https://blogs.msdn.microsoft.com/benjaminperkins/2018/06/13/create-an-azure-key-vault-and-secret/
- Creating azure release pipeline in Azure DevOps- https://docs.microsoft.com/en-us/azure/devops/pipelines/get-started-designer?view=vsts&tabs=new-nav#create-a-release-pipeline
- Managing Secrets using app.secrets and azure key vaults- https://social.technet.microsoft.com/wiki/contents/articles/51871.net-core-2-managing-secrets-in-web-apps.aspx