In our project we need to store secrets in Azure Key Vault and use them in bitbucket pipelines. Is it possible to do it?
I can not find anything about that.
Thanks for helping.
Hello @Susana Abrantes ,
Welcome to the Community!
Once your credentials are stored in the Azure Key Vault, you can fetch them in your bitbucket pipeline by using the Azure CLI run pipe. This is a pipe developed by Microsoft that enables you to run the commands available in the Azure CLI in your Azure instance.
Since the Azure CLI provides the functionality to Retrieve a secret from the Key Vault , you can leverage that in your pipeline build.
The example below illustrates how to configure a step to use the Azure CLI run pipe to fetch a secret from your Key Vault :
script:
- echo "Using Azure-cli-run pipe"
- pipe: microsoft/azure-cli-run:1.1.0
variables:
AZURE_APP_ID: $AZURE_APP_ID
AZURE_PASSWORD: $AZURE_PASSWORD
AZURE_TENANT_ID: $AZURE_TENANT_ID
CLI_COMMAND: 'az keyvault secret show --name "ExamplePassword" --vault-name "<your-unique-keyvault-name>" --query "value"'
Please note that the variables need to be configured with the corresponding values of your Azure instance. For more details on what each of the pipe variables means, you can refer to the pipe's official documentation: Azure CLI run pipe.
Thank you, @Susana Abrantes !
Patrik S
Hi @Patrik S
Thanks for your response. I've tried your script example, and it works perfectly fine. However, the "az keyvault secret show" command prints the value into the pipeline log.
I couldn't find a way to retrieve this value and store it in an environment variable for further usage. Something like this:
script:
- echo "Using Azure-cli-run pipe"
- pipe: microsoft/azure-cli-run:1.1.0
variables:
AZURE_APP_ID: $AZURE_APP_ID
AZURE_PASSWORD: $AZURE_PASSWORD
AZURE_TENANT_ID: $AZURE_TENANT_ID
CLI_COMMAND: 'az keyvault secret show --name "ExamplePassword" --vault-name "<your-unique-keyvault-name>" --query "value"'
- export KV_SECRET=<secret goes here instead of the pipeline log>
Thanks for helping.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.