Azure DevOps Integration
Retrieve Secrets from DevOps Secrets Safe
This extension allows for the retrieval of ASCII secrets from an Azure-accessible instance of DevOps Secrets Safe.
In order for this extension to retrieve a secret for use in a given Azure DevOps pipeline, the DevOps Secrets Safe instance must be preconfigured with the secret in question and an application principal authorized to read it. The URI of the secret and both the application name and API key assigned to the application are required as input values for this extension.
Secrets Safe Instance Configuration
Enter the public hostname/IP of the DevOps Secrets Safe instance, along with the port, API version, request timeout (seconds), and server certificate verification flag. The default values are shown in the provided image.
The build agents require access to the certificate authority used to sign the certificate used by the DevOps Secrets Safe cluster ingress service, be it a publicly available certificate or installed to the build agent itself.
Enter the name of the application authorized to read the requested secrets, along with the associated API key. The default application name is azure-devops, unless specified.
Enter the URI of the requested secret, and the name of the pipeline variable to populate. If this variable is configured as secret, then this extension both populates the value and retains the secret state, not logging the output to the task log. The secret variable can then be used in a subsequent task in the pipeline without ever exposing the value.
Multi-line values are allowed only if the storage variable is not marked secret. Azure DevOps secret pipeline variables only support single line secrets, and the DevOps Secrets Safe secret retrieval will fail if a secret is multilined and requested to populate a secret pipeline variable.