Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Azure Key Vault to store secrets - bitbucket pipelines

Susana Abrantes
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 20, 2023

In our project we need to store secrets in Azure Key Vault and use them in bitbucket pipelines. Is it possible to do it?

I can not find anything about that.

Thanks for helping.

1 answer

3 votes
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 21, 2023

Hello @Susana Abrantes ,

Welcome to the Community!

Once your credentials are stored in the Azure Key Vault, you can fetch them in your bitbucket pipeline by using the Azure CLI run pipe. This is a pipe developed by Microsoft that enables you to run the commands available in the Azure CLI in your Azure instance. 

Since the Azure CLI provides the functionality to Retrieve a secret from the Key Vault , you can leverage that in your pipeline build.

The example below illustrates how to configure a  step to use the Azure CLI run pipe to fetch a secret from your Key Vault : 

script:
- echo "Using Azure-cli-run pipe"
  - pipe: microsoft/azure-cli-run:1.1.0
    variables:
      AZURE_APP_ID: $AZURE_APP_ID
      AZURE_PASSWORD: $AZURE_PASSWORD
      AZURE_TENANT_ID: $AZURE_TENANT_ID
      CLI_COMMAND: 'az keyvault secret show --name "ExamplePassword" --vault-name "<your-unique-keyvault-name>" --query "value"'

Please note that the variables need to be configured with the corresponding values of your Azure instance. For more details on what each of the pipe variables means, you can refer to the pipe's official documentation: Azure CLI run pipe.

Thank you, @Susana Abrantes !

Patrik S

Andrii
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 24, 2024

Hi @Patrik S

Thanks for your response. I've tried your script example, and it works perfectly fine. However, the "az keyvault secret show" command prints the value into the pipeline log.

I couldn't find a way to retrieve this value and store it in an environment variable for further usage. Something like this:

script:
- echo "Using Azure-cli-run pipe"
  - pipe: microsoft/azure-cli-run:1.1.0
    variables:
      AZURE_APP_ID: $AZURE_APP_ID
      AZURE_PASSWORD: $AZURE_PASSWORD
      AZURE_TENANT_ID: $AZURE_TENANT_ID
      CLI_COMMAND: 'az keyvault secret show --name "ExamplePassword" --vault-name "<your-unique-keyvault-name>" --query "value"'
- export KV_SECRET=<secret goes here instead of the pipeline log>

Thanks for helping.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events