Search code examples
bashazureazure-devopsazure-keyvaultkubernetes-secrets

Access to Azure KV variables from bash in Azure DevOps

I am building an azure devops template that is triggered from different teams main pipeline. During release stage, we are fetching secrets from Azure Keyvault using the AzureKeyVault@1 task and all secrets are downloaded and stored as output variables in the current stage based in the logs output:

##[debug]set secretKey-blabla-password=********
##[debug]Processed: ##vso[task.setvariable variable=secretKey-blabla-password;issecret=true;]***

After this task completes, I want to enumerate in a subsequent bash task all variables which start with specific name (as the number of secrets will change depending on the team, but will follow a specific naming convention).

Then I try to retrieve all the variables in the next task using:

 - task: Bash@3
          displayName: Generate deployment secrets
          inputs:
            targetType: "inline"
            script: |
                  env | sort ##Tried also with compgen -v

When I run the pipeline the KV secrets are fetched correctly and when the next task starts the debug shows all the vars retrieved from the secret are loaded

##[debug]loading SECRET_SECRETKEY-BLABLA-PASSWORD

But when I try to print all vars in the agent I only get the env vars or any other task output var generated, but not the ones from the KV.

I know it works with a explicit input definition for this vars in the bash task, but my problem is the name and number of secret variables will depend on the team executing the template. That's why I would like to get all secret exported vars and then based on pattern filtering dump this values in a specific k8s secret deployment file

Any ideas if this can be done like this or using an alternative method?

Thanks

Solution

  • All variables from KV are considered as secrets thus you will not get them avialble as env variables. To have them available as env variables you have to mapped them explicitly as this:

    - task: PowerShell@2
  env:
   PIPELINE_SCOPED_SECRET_VAR: $(secret1FromKV) 
   SECRET_VAR_IN_VARIABLE_GROUP: $(secret2FromKV)

    Thus it would be difficult to achieve your task if you have different set of variables. And I would advice rather to do not do that because you reveal sth what suppose to remain secret. But if you need this please consider azure cli and azure cli task to fetch your variables.

    And this is not possible to define it globally.