{"id":3238,"date":"2022-04-25T16:30:40","date_gmt":"2022-04-25T16:30:40","guid":{"rendered":"https:\/\/exceedthecloud.com\/?p=3238"},"modified":"2022-04-25T16:30:45","modified_gmt":"2022-04-25T16:30:45","slug":"integrating-azure-key-vault-with-azure-devops","status":"publish","type":"post","link":"https:\/\/exceedthecloud.com\/?p=3238","title":{"rendered":"Integrating Azure Key Vault with Azure DevOps"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<p>Azure Key Vault provides secure storage and management of sensitive data, such as keys, passwords, and certificates. Azure Key Vault includes supports for hardware security modules, as well as a range of encryption algorithms and key lengths. By using Azure Key Vault, you can minimize the possibility of disclosing sensitive data through source code, which is a common mistake made by developers. Access to Azure Key Vault requires proper authentication and authorization, supporting fine grained permissions to its content.<\/p>\n\n\n\n<p>In this lab, you will see how you can integrate Azure Key Vault with an Azure DevOps pipeline by using the following steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>create an Azure Key vault to store a MySQL server password as a secret.<\/li><li>create an Azure service principal to provide access to secrets in the Azure Key vault.<\/li><li>configure permissions to allow the service principal to read the secret.<\/li><li>configure pipeline to retrieve the password from the Azure Key vault and pass it on to subsequent tasks.<\/li><\/ul>\n\n\n\n<p>After you complete this lab, you will be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create an Azure Active Directory (Azure AD) service principal.<\/li><li>Create an Azure key vault.<\/li><li>Track pull requests through the Azure DevOps pipeline.<\/li><\/ul>\n\n\n\n<p><strong>Review applications required for this lab<\/strong><\/p>\n\n\n\n<p>Identify the applications that you\u2019ll use in this lab:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Microsoft Edge<\/li><\/ul>\n\n\n\n<p><strong>Prepare an Azure subscription<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Identify an existing Azure subscription or create a new one.<\/li><li>Verify that you have a Microsoft account or an Azure AD account with the Owner role in the Azure subscription and the Global Administrator role in the Azure AD tenant associated with the Azure subscription. For details, refer to\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/role-assignments-list-portal\" target=\"_blank\" rel=\"noreferrer noopener\">List Azure role assignments using the Azure portal<\/a>\u00a0and\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/roles\/manage-roles-portal#view-my-roles\" target=\"_blank\" rel=\"noreferrer noopener\">View and assign administrator roles in Azure Active Directory<\/a>.<\/li><\/ul>\n\n\n\n<p><strong>Set up an Azure DevOps organization<\/strong><\/p>\n\n\n\n<p>If you don\u2019t already have an Azure DevOps organization that you can use for this lab, create one by following the instructions available at\u00a0<a href=\"https:\/\/exceedthecloud.com\/?p=2937\" target=\"_blank\" rel=\"noreferrer noopener\">Create an organization or project collection<\/a>.<\/p>\n\n\n\n<p>Lab0: Configure the lab prerequisites<\/p>\n\n\n\n<p>In this Lab, you will set up the prerequisite for the lab, which consists of the preconfigured Parts Unlimited team project based on an Azure DevOps Demo Generator template.<\/p>\n\n\n\n<p><strong>Task 1: Configure the team project<\/strong><\/p>\n\n\n\n<p>In this task, you will use Azure DevOps Demo Generator to generate a new project based on the&nbsp;<strong>Azure Key Vault<\/strong>&nbsp;template.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On your lab computer, start a web browser and navigate to\u00a0<a href=\"https:\/\/azuredevopsdemogenerator.azurewebsites.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure DevOps Demo Generator<\/a>. This utility site will automate the process of creating a new Azure DevOps project within your account that is prepopulated with content (work items, repos, etc.) required for the lab.<\/li><\/ul>\n\n\n\n<p><strong>Note<\/strong>: For more information on the site, see https:\/\/docs.microsoft.com\/en-us\/azure\/devops\/demo-gen.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\" start=\"2\"><li>Click\u00a0<strong>Sign in<\/strong>\u00a0and sign in using the Microsoft account associated with your Azure DevOps subscription.<\/li><li>If required, on the\u00a0<strong>Azure DevOps Demo Generator<\/strong>\u00a0page, click\u00a0<strong>Accept<\/strong>\u00a0to accept the permission requests for accessing your Azure DevOps subscription.<\/li><li>On the\u00a0<strong>Create New Project<\/strong>\u00a0page, in the\u00a0<strong>New Project Name<\/strong>\u00a0textbox, type\u00a0<strong>Integrating Azure Key Vault with Azure DevOps<\/strong>, in the\u00a0<strong>Select organization<\/strong>\u00a0dropdown list, select your Azure DevOps organization, and then click\u00a0<strong>Choose template<\/strong>.<\/li><li>On the\u00a0<strong>Choose a template<\/strong>\u00a0page, in the header menu, click\u00a0<strong>DevOps Labs<\/strong>, in the list of templates, click the\u00a0<strong>Azure Key Vault<\/strong>\u00a0template, and then click\u00a0<strong>Select Template<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"287\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture1-9.png\" alt=\"\" class=\"wp-image-3239\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture1-9.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture1-9-300x138.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Back on the\u00a0<strong>Create New Project<\/strong>\u00a0page, select the checkbox below the\u00a0<strong>ARM Outputs<\/strong>\u00a0label, and click\u00a0<strong>Create Project<\/strong><\/li><\/ul>\n\n\n\n<p><strong>Note<\/strong>: Wait for the process to complete. This should take about 2 minutes. In case the process fails, navigate to your DevOps organization, delete the project, and try again.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\" start=\"2\"><li>On the\u00a0<strong>Create New Project<\/strong>\u00a0page, click\u00a0<strong>Navigate to project<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"435\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture2-9.png\" alt=\"\" class=\"wp-image-3240\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture2-9.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture2-9-300x209.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Lab1: Integrate Azure Key Vault with Azure DevOps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>create an Azure service principal that will provide access to secrets in an Azure Key vault.<\/li><li>create the Azure Key vault to store a MySQL server password as a secret.<\/li><li>configure permissions to allow the service principal to read the secret.<\/li><li>configure pipeline to retrieve the password from the Azure Key vault and pass it on to subsequent tasks.<\/li><\/ul>\n\n\n\n<p><strong>Task 1: Create a service principal<\/strong><\/p>\n\n\n\n<p>In this task, you will create a service principal by using the Azure CLI.<\/p>\n\n\n\n<p><strong>Note<\/strong>: If you do already have a service principal, you can proceed directly to the next task.<\/p>\n\n\n\n<p>You will need a service principal to deploy an app to an Azure resource from Azure Pipelines. Since we are going to retrieve secrets in a pipeline, we will need to grant permission to the service when we create the Azure Key vault.<\/p>\n\n\n\n<p>A service principal is automatically created by Azure Pipeline when you connect to an Azure subscription from inside a pipeline definition or when you create a new service connection from the project settings page. You can also manually create the service principal from the portal or using Azure CLI and re-use it across projects. It is recommended that you use an existing service principal when you want to have a pre-defined set of permissions.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>From the lab computer, start a web browser, navigate to the\u00a0<a href=\"https:\/\/portal.azure.com\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Azure Portal<\/strong><\/a>, and sign in with the user account that has the Owner role in the Azure subscription you will be using in this lab and has the role of the Global Administrator in the Azure AD tenant associated with this subscription.<\/li><li>In the Azure portal, click the\u00a0<strong>Cloud Shell<\/strong>\u00a0icon, located directly to the right of the search textbox at the top of the page.<\/li><li>If prompted to select either\u00a0<strong>Bash<\/strong>\u00a0or\u00a0<strong>PowerShell<\/strong>, select\u00a0<strong>Bash<\/strong>.<\/li><\/ul>\n\n\n\n<p><strong>Note<\/strong>: If this is the first time you are starting&nbsp;<strong>Cloud Shell<\/strong>&nbsp;and you are presented with the&nbsp;<strong>You have no storage mounted<\/strong>&nbsp;message, select the subscription you are using in this lab, and select&nbsp;<strong>Create storage<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>From the\u00a0<strong>Bash<\/strong>\u00a0prompt, in the\u00a0<strong>Cloud Shell<\/strong>\u00a0pane, run the following command to create a service principal (replace the\u00a0&lt;service-principal-name>\u00a0with any unique string of characters consisting of letters and digits):<\/li><\/ul>\n\n\n\n<p>CodeCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>az ad sp create-for-rbac --name &lt;service-principal-name> --role Contributor --Scopes<\/code><\/pre>\n\n\n\n<p><strong>Note<\/strong>: The command will generate a JSON output. Copy the output to text file. You will need it later in this lab.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"147\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture3-9.png\" alt=\"\" class=\"wp-image-3241\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture3-9.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture3-9-300x71.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>From the\u00a0<strong>Bash<\/strong>\u00a0prompt, in the\u00a0<strong>Cloud Shell<\/strong>\u00a0pane, run the following commands to retrieve the values of the Azure subscription ID and subscription name attributes:<\/li><\/ul>\n\n\n\n<p>CodeCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>az account show --query id --output tsv\naz account show --query name --output tsv\n<\/code><\/pre>\n\n\n\n<p><strong>Note<\/strong>: Copy both values to a text file. You will need them later in this lab.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"146\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture4-9.png\" alt=\"\" class=\"wp-image-3242\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture4-9.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture4-9-300x70.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Task 2: Create an Azure Key vault<\/strong><\/p>\n\n\n\n<p>In this task, you will create an Azure Key vault by using the Azure portal.<\/p>\n\n\n\n<p>For this lab scenario, we have an app that connects to a MySQL database. We intend to store the password for the MySQL database as a secret in the key vault.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>In the Azure portal, in the\u00a0<strong>Search resources, services, and docs<\/strong>\u00a0text box, type\u00a0<strong>Key vaults<\/strong>\u00a0and press the\u00a0<strong>Enter<\/strong>\u00a0key.<\/li><li>On the\u00a0<strong>Key vaults<\/strong>\u00a0blade, click\u00a0<strong>+ Create<\/strong>.<\/li><li>On the\u00a0<strong>Basics<\/strong>\u00a0tab of the\u00a0<strong>Create key vault<\/strong>\u00a0blade, specify the following settings and click\u00a0<strong>Next: Access policy<\/strong>:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td>Setting<\/td><td>Value<\/td><\/tr><\/thead><tbody><tr><td>Subscription<\/td><td>the name of the Azure subscription you are using in this lab<\/td><\/tr><tr><td>Resource group<\/td><td>the name of a new resource group&nbsp;<strong>exceeed-azkvpipeline-rg<\/strong><\/td><\/tr><tr><td>Key vault name<\/td><td>any unique valid name<\/td><\/tr><tr><td>Region<\/td><td>an Azure region close to the location of your lab environment<\/td><\/tr><tr><td>Pricing tier<\/td><td><strong>Standard<\/strong><\/td><\/tr><tr><td>Days to retain deleted vaults<\/td><td><strong>7<\/strong><\/td><\/tr><tr><td>Purge protection<\/td><td><strong>Disable purge protection<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"591\" height=\"796\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture5-9.png\" alt=\"\" class=\"wp-image-3243\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture5-9.png 591w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture5-9-223x300.png 223w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/figure>\n\n\n\n<p>On the\u00a0<strong>Access policy<\/strong>\u00a0tab of the\u00a0<strong>Create key vault<\/strong>\u00a0blade, click\u00a0<strong>+ Add Access Policy<\/strong>\u00a0to setup a new policy.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"307\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture6-9.png\" alt=\"\" class=\"wp-image-3244\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture6-9.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture6-9-300x148.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Note<\/strong>: You need to secure access to your key vaults by allowing only authorized applications and users. To access the data from the vault, you will need to provide read (Get) permissions to the service principal that you will be using for authentication in the pipeline.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the\u00a0<strong>Add access policy<\/strong>\u00a0blade, click the\u00a0<strong>None selected<\/strong>\u00a0link directly under the\u00a0<strong>Select principal<\/strong>\u00a0label.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"595\" height=\"576\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture7-9.png\" alt=\"\" class=\"wp-image-3245\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture7-9.png 595w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture7-9-300x290.png 300w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/figure>\n\n\n\n<p>On the\u00a0<strong>Principal<\/strong>\u00a0blade, search for the security principal that you created in the previous Lab, select it, and then click\u00a0<strong>Select<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"552\" height=\"821\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture8-9.png\" alt=\"\" class=\"wp-image-3246\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture8-9.png 552w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture8-9-202x300.png 202w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\" \/><\/figure>\n\n\n\n<p>Back on the\u00a0<strong>Add access policy<\/strong>\u00a0blade, in the\u00a0<strong>Secret permissions<\/strong>\u00a0drop down list, select checkboxes next to the\u00a0<strong>Get<\/strong>\u00a0and\u00a0<strong>List<\/strong>\u00a0permissions and then click\u00a0<strong>Add<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"529\" height=\"566\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture9-9.png\" alt=\"\" class=\"wp-image-3247\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture9-9.png 529w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture9-9-280x300.png 280w\" sizes=\"auto, (max-width: 529px) 100vw, 529px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Back on the\u00a0<strong>Access policy<\/strong>\u00a0tab of the\u00a0<strong>Create key vault<\/strong>\u00a0blade, click\u00a0<strong>Review + create<\/strong>\u00a0and, on the\u00a0<strong>Review + create<\/strong>\u00a0blade, click\u00a0<strong>Create<\/strong>.<\/li><\/ul>\n\n\n\n<p><strong>Note<\/strong>: Wait for the Azure Key vault to be provisioned. This should take less than 1 minute.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\" start=\"2\"><li>On the\u00a0<strong>Your deployment is complete<\/strong>\u00a0blade, click\u00a0<strong>Go to resource<\/strong>.<\/li><li>On the Azure Key vault blade, in the vertical menu on the left side of the blade, in the\u00a0<strong>Settings<\/strong>\u00a0section, click\u00a0<strong>Secrets<\/strong>.<\/li><li>On the\u00a0<strong>Secrets<\/strong>\u00a0blade, click\u00a0<strong>Generate\/Import<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"351\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture10-9.png\" alt=\"\" class=\"wp-image-3248\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture10-9.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture10-9-300x169.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the\u00a0<strong>Create a secret<\/strong>\u00a0blade, specify the following settings and click\u00a0<strong>Create<\/strong>\u00a0(leave others with their default values):<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td>Setting<\/td><td>Value<\/td><\/tr><\/thead><tbody><tr><td>Upload options<\/td><td><strong>Manual<\/strong><\/td><\/tr><tr><td>Name<\/td><td><strong>sqldbpassword<\/strong><\/td><\/tr><tr><td>Value<\/td><td>any valid MySQL password value<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"812\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture11-9.png\" alt=\"\" class=\"wp-image-3249\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture11-9.png 601w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture11-9-222x300.png 222w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Task 3: Check the Azure Pipeline<\/strong><\/p>\n\n\n\n<p>In this task, you will configure the Azure Pipeline to retrieve the secret from the Azure Key vault.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On your lab computer, start a web browser and navigate to the Azure DevOps project\u00a0<strong>Integrating Azure Key Vault with Azure DevOps<\/strong>\u00a0you created in the previous Lab.<\/li><li>In the vertical navigational pane of the of the Azure DevOps portal, select\u00a0<strong>Pipelines<\/strong>\u00a0and verify that the\u00a0<strong>Pipelines<\/strong>\u00a0pane is displayed.<\/li><li>On the\u00a0<strong>Pipelines<\/strong>\u00a0pane, click the entry representing the\u00a0<strong>SmartHotel-CouponManagement-CI<\/strong>\u00a0pipeline. Click on\u00a0<strong>Edit<\/strong>.<\/li><li>On the pipeline definition, make sure the\u00a0<strong>Pipeline<\/strong>\u00a0>\u00a0<strong>Agent Specification<\/strong>\u00a0is\u00a0<strong>ubuntu 18.04<\/strong>. Click\u00a0<strong>Save and Queue<\/strong>\u00a0>\u00a0<strong>Queue<\/strong>\u00a0>\u00a0<strong>Run<\/strong>\u00a0to trigger a build.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"473\" height=\"838\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture12-9.png\" alt=\"\" class=\"wp-image-3250\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture12-9.png 473w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture12-9-169x300.png 169w\" sizes=\"auto, (max-width: 473px) 100vw, 473px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>In the vertical navigational pane of the of the Azure DevOps portal, in the\u00a0<strong>Pipelines<\/strong>\u00a0section, select\u00a0<strong>Releases<\/strong>.<\/li><li>On the\u00a0<strong>SmartHotel-CouponManagement-CD<\/strong>\u00a0pane, click\u00a0<strong>Edit<\/strong>\u00a0in the upper right corner.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"329\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture13-8.png\" alt=\"\" class=\"wp-image-3251\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture13-8.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture13-8-300x158.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>On the\u00a0<strong>All pipelines > SmartHotel-CouponManagement-CD<\/strong>\u00a0pane, select the\u00a0<strong>Task<\/strong>\u00a0tab and, in the dropdown menu, select\u00a0<strong>Dev<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"303\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture14-7.png\" alt=\"\" class=\"wp-image-3252\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture14-7.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture14-7-300x146.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: The release definition for&nbsp;<strong>Dev<\/strong>&nbsp;stage has an&nbsp;<strong>Azure Key Vault<\/strong>&nbsp;task. This task downloads&nbsp;<em>Secrets<\/em>&nbsp;from an Azure Key Vault. You will need to point to the subscription and the Azure Key Vault resource created earlier in the lab.<\/p>\n\n\n\n<p><strong>Note<\/strong>: You need to authorize the pipeline to deploy to Azure. Azure pipelines can automatically create a service connection with a new service principal,&nbsp;<strong>but we want to use the one we created earlier<\/strong>, as it has been authorized to read the secret.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Select\u00a0<strong>Run on agent<\/strong>\u00a0and modify\u00a0<strong>Agent pool<\/strong>\u00a0field to\u00a0<strong>Azure Pipelines<\/strong>\u00a0and agent specification\u00a0<strong>ubuntu 18.04<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"510\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture15-8.png\" alt=\"\" class=\"wp-image-3253\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture15-8.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture15-8-300x245.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Select the\u00a0<strong>Azure Key Vault<\/strong>\u00a0task and, on the right side, in the\u00a0<strong>Azure Key Vault<\/strong>\u00a0task properties, next to the\u00a0<strong>Azure subscription<\/strong>\u00a0label, click\u00a0<strong>Manage<\/strong>. This will open another browser tab displaying the\u00a0<strong>Service connections<\/strong>\u00a0pane in the Azure DevOps portal.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"417\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture16-7.png\" alt=\"\" class=\"wp-image-3254\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture16-7.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture16-7-300x200.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>On the\u00a0<strong>Service connections<\/strong>\u00a0pane, click\u00a0<strong>New Service connection<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"460\" height=\"704\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture17-7.png\" alt=\"\" class=\"wp-image-3255\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture17-7.png 460w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture17-7-196x300.png 196w\" sizes=\"auto, (max-width: 460px) 100vw, 460px\" \/><\/figure>\n\n\n\n<p>On the\u00a0<strong>New service connection<\/strong>\u00a0pane, select the\u00a0<strong>Azure Resource Manager<\/strong>\u00a0option, click\u00a0<strong>Next<\/strong>, select\u00a0<strong>Service Principal (manual)<\/strong>, and click\u00a0<strong>Next<\/strong>\u00a0again.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"452\" height=\"381\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture18-7.png\" alt=\"\" class=\"wp-image-3256\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture18-7.png 452w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture18-7-300x253.png 300w\" sizes=\"auto, (max-width: 452px) 100vw, 452px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the\u00a0<strong>New service connection<\/strong>\u00a0pane, specify the following settings, using the information you copied to a text file in the first task of this Labfollowing creation of the service principal by using Azure CLI:<ul><li>Subscription Id: the value you obtained by running\u00a0az account show &#8211;query id &#8211;output tsv<\/li><li>Subscription Name: the value you obtained by running\u00a0az account show &#8211;query name &#8211;output tsv<\/li><li>Service Principal Id: the value labeled\u00a0<strong>appId<\/strong>\u00a0in the output generated by running\u00a0az ad sp create-for-rbac<\/li><li>Service Principal key: the value labeled\u00a0<strong>password<\/strong>\u00a0in the output generated by running\u00a0az ad sp create-for-rbac<\/li><li>TenantId: the value labeled\u00a0<strong>tenant<\/strong>\u00a0in the output generated by running\u00a0az ad sp create-for-rbac<\/li><\/ul><\/li><li>On the\u00a0<strong>New service connection<\/strong>\u00a0pane, click\u00a0<strong>Verify<\/strong>\u00a0to determine whether the information you provided is valid.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"446\" height=\"832\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture19-6.png\" alt=\"\" class=\"wp-image-3257\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture19-6.png 446w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture19-6-161x300.png 161w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/figure>\n\n\n\n<p>Once you receive the\u00a0<strong>Verification Succeeded<\/strong>\u00a0response, in the\u00a0<strong>Service connection name<\/strong>\u00a0textbox, type\u00a0<strong>kv-service-connection<\/strong>\u00a0and click\u00a0<strong>Verify and Save<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"447\" height=\"835\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture20-5.png\" alt=\"\" class=\"wp-image-3258\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture20-5.png 447w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture20-5-161x300.png 161w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Switch back to the web browser tab displaying the pipeline definition and the\u00a0<strong>Azure Key Vault<\/strong>\u00a0task.<\/li><li>With the\u00a0<strong>Azure Key Vault<\/strong>\u00a0task selected, on the\u00a0<strong>Azure Key Vault<\/strong>\u00a0pane, click the\u00a0<strong>Refresh<\/strong>\u00a0button, in the\u00a0<strong>Azure subscription<\/strong>\u00a0dropdown list, select the\u00a0<strong>kv-service-connection<\/strong>\u00a0entry, in the\u00a0<strong>Key vault<\/strong>\u00a0dropdown list, select the entry representing the Azure Key vault you created in the first task, and, in the\u00a0<strong>Secrets filter<\/strong>\u00a0textbox, type\u00a0<strong>sqldbpassword<\/strong>. Finally, expand the\u00a0<strong>Output Variables<\/strong>\u00a0section and, in the\u00a0<strong>Reference name<\/strong>\u00a0textbox, type\u00a0<strong>sqldbpassword<\/strong>.<\/li><\/ul>\n\n\n\n<p><strong>Note<\/strong>: At runtime, Azure Pipelines will fetch the latest value of the secret and set it as the task variable&nbsp;<strong>$(sqldbpassword)<\/strong>. The tasks can consumed by the subsequent tasks by referencing that variable.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\" start=\"3\"><li>To verify this, select the next task,\u00a0<strong>Azure Deployment<\/strong>, which deploys an ARM template and review the content of the\u00a0<strong>Override template parameters<\/strong>\u00a0textbox.<\/li><\/ul>\n\n\n\n<p>CodeCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-webAppName $(webappName) -mySQLAdminLoginName \"azureuser\" -mySQLAdminLoginPassword $(sqldbpassword)<\/code><\/pre>\n\n\n\n<p><strong>Note<\/strong>: The&nbsp;<strong>Override template parameters<\/strong>&nbsp;content references the&nbsp;<strong>sqldbpassword<\/strong>&nbsp;variable to set the mySQL admin password. This will provision the MySQL database defined in the ARM template using the password that you have specified in the key vault.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>You may complete the pipeline definition by specifying the subscription (if new subscription is used in the project, click on\u00a0<strong>Authorize<\/strong>\u00a0)and location for the task.\u00a0<strong>Repeat<\/strong>\u00a0the same for the last task in the pipeline\u00a0<strong>Azure App Service Deploy<\/strong>\u00a0(choose the subscription from the\u00a0<strong>Available Azure service connection<\/strong>\u00a0section in the dropdown).<\/li><\/ul>\n\n\n\n<p><strong>Note<\/strong>: In the Azure subscription dropdown list, you will see&nbsp;<strong>Available Azure service connections<\/strong>&nbsp;for those susbcriptions that have already been authorized to be connected to Azure. If you select the authorized subscription again (from&nbsp;<strong>Available Azure subscriptions<\/strong>&nbsp;list) and try to&nbsp;<strong>Authorize<\/strong>, the process will fail.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\" start=\"2\"><li>On the\u00a0<strong>Variables<\/strong>\u00a0tab, change the\u00a0<strong>resourcegroup<\/strong>\u00a0variable to plain text (click on lock) and write\u00a0<strong>exceeed-azkvpipeline-rg<\/strong>\u00a0in the value field.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"212\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture21-5.png\" alt=\"\" class=\"wp-image-3259\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture21-5.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture21-5-300x102.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Finally,\u00a0<strong>Save<\/strong>\u00a0and click on\u00a0<strong>Create a new release<\/strong>\u00a0>\u00a0<strong>Create<\/strong>\u00a0(leave defaults) to start the deployment.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"230\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture22-4.png\" alt=\"\" class=\"wp-image-3260\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture22-4.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture22-4-300x111.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"858\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture23-3.png\" alt=\"\" class=\"wp-image-3261\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture23-3.png 608w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture23-3-213x300.png 213w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><\/figure>\n\n\n\n<p>Make sure your pipeline runs successfully and once finished, review the created resources by opening the resource group\u00a0<strong>exceeed-azkvpipeline-rg<\/strong>\u00a0in the Azure Portal . Open the\u00a0<strong>App Service<\/strong>\u00a0and browse it\u00a0<strong>(Overview -> Browse)<\/strong>, to see the published website.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"316\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture24-3.png\" alt=\"\" class=\"wp-image-3262\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture24-3.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture24-3-300x152.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"471\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture25-3.png\" alt=\"\" class=\"wp-image-3263\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture25-3.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/Picture25-3-300x226.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Review<\/strong><\/p>\n\n\n\n<p>In this lab, you integrated Azure Key Vault with an Azure DevOps pipeline by using the following steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>created an Azure Key vault to store a MySQL server password as a secret.<\/li><li>created an Azure service principal to provide access to secrets in the Azure Key vault.<\/li><li>configured permissions to allow the service principal to read the secret.<\/li><li>configured pipeline to retrieve the password from the Azure Key vault and pass it on to subsequent tasks.<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><mark class=\"kt-highlight\">Reminder: Don\u2019t forget to delete or shutdown all unused Azure resources after your labs for cost saving<\/mark><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azure Key Vault provides secure storage and management of sensitive data, such as keys, passwords, and certificates. Azure Key Vault includes supports for hardware security modules, as well as a range of encryption algorithms and key lengths. By using Azure &hellip; <a href=\"https:\/\/exceedthecloud.com\/?p=3238\">Continued<\/a><\/p>\n","protected":false},"author":1,"featured_media":3265,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"kt_blocks_editor_width":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16,4,18],"tags":[8,105,59,107,58],"class_list":["post-3238","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-practical-labs-series","category-security","tag-azure","tag-devops","tag-key-vault","tag-pipelines","tag-security"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/04\/istockphoto-1211202854-612x612-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts\/3238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3238"}],"version-history":[{"count":1,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts\/3238\/revisions"}],"predecessor-version":[{"id":3264,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts\/3238\/revisions\/3264"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/media\/3265"}],"wp:attachment":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}