Azure DevOps Integration

This extension allows for the retrieval of ASCII secrets from an Azure-accessible instance of DevOps Secrets Safe.

Prerequisites

In order for this extension to retrieve a secret for use in a given Azure DevOps pipeline, the DevOps Secrets Safe instance must be preconfigured with the secret in question and an application principal authorized to read it. The URI of the secret and both the application name and API key assigned to the application are required as input values for this extension.

Secrets Safe Instance Configuration

Enter the public hostname/IP of the DevOps Secrets Safe instance, as well as the port, API version, request timeout (seconds), and server certificate verification flag. The default values are shown in the provided image.

The build agents require access to the certificate authority used to sign the certificate used by the DevOps Secrets Safe cluster ingress service, whether it is a publicly available certificate or installed to the build agent itself.

 

Authentication

Enter the name of the application authorized to read the requested secrets, as well as with the associated API key. The default application name is azure-devops, unless specified otherwise.

 

Secret

Enter the URI of the requested secret, and the name of the pipeline variable to populate. If this variable is configured as secret, then this extension both populates the value and retains the secret state, not logging the output to the task log. The secret variable can then be used in a subsequent task in the pipeline without ever exposing the value.

Multi-line values are allowed only if the storage variable is not marked secret. Azure DevOps secret pipeline variables only support single line secrets, and the DevOps Secrets Safe secret retrieval fails if a secret is multilined and requested to populate a secret pipeline variable.