Search code examples
azureazure-devopsazure-pipelinesdevopsazure-keyvault

Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline

I'm facing an issue with my Azure DevOps pipeline where I can successfully retrieve one secret from Azure Key Vault, but not the others. Specifically, I'm able to retrieve one secret, but when I try to retrieve other secrets, they are not being set correctly in the pipeline.

My Setup

  1. Azure Key Vault Configuration:

    • I have multiple secrets stored in Azure Key Vault (my-keyvault).
    • The secrets include:
      • SecretOne
      • SecretTwo
      • SecretThree
      • SecretFour

  2. Access Policies:

    • The service principal used by Azure DevOps has Get and List permissions for secrets.

  3. Azure DevOps Pipeline Configuration:

    • The pipeline is configured to retrieve secrets using the AzureKeyVault@1 task.
    • I verified that the service principal has the correct access permissions.

Pipeline Script

Here is the simplified version of my pipeline script for testing secret retrieval:

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'my-azure-subscription'
    KeyVaultName: 'my-keyvault'
    SecretsFilter: 'SecretOne,SecretTwo,SecretThree,SecretFour'
    RunAsPreJob: true

- script: |
    echo "SecretOne: ${SecretOne}"
    echo "SecretTwo: ${SecretTwo}"
    echo "SecretThree: ${SecretThree}"
    echo "SecretFour: ${SecretFour}"
  displayName: 'Print Secrets for Verification'

Issue

  • The secret SecretOne is correctly retrieved and printed.
  • The other secrets (SecretTwo, SecretThree, and SecretFour) are not being retrieved and printed.

Debugging Steps Taken

  1. Verified Access Policies:

    • Confirmed that the service principal has Get and List permissions in the Key Vault.

  2. Checked Secret Names:

    • Ensured that the secret names are correctly specified and match exactly, including case sensitivity.

  3. Tested with Azure CLI:

    • Verified that all secrets can be retrieved using Azure CLI commands.

Request for Help

I need assistance in understanding why only one secret is being retrieved successfully while the others are not. Any insights or suggestions on what might be going wrong and how to fix this issue would be greatly appreciated.

Thank you in advance for your help!

Solution

  • Azure Pipelines makes an effort to mask secrets when emitting data to pipeline logs, so you may see additional variables and data masked in output and logs that are not set as secrets.

    This is by design, as you don't want sensitive information being exposed in the logs.

    Example:

    pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureKeyVault@1
  inputs:
    azureSubscription: 'repo-kv-demo'
    KeyVaultName: 'kv-demo-repo'
    SecretsFilter: 'secretDemo'
    RunAsPreJob: true

# other tasks here

- bash: |
    echo "Secret Found! $MY_MAPPED_ENV_VAR"        
  env:
    MY_MAPPED_ENV_VAR: $(secretDemo)

    The output from the bash command should look like this:

    Secret Found! ***