Azure DevOps Extension

Keeper Secrets Manager integration into Azure DevOps for dynamic secrets retrieval

PreviousAWS KMS Encryption NextAzure Key Vault Sync

Last updated 10 months ago

Was this helpful?

Azure DevOps Extension

Keeper Secrets Manager integration into Azure DevOps for dynamic secrets retrieval

Features

Retrieve secrets from the Keeper Vault from an Azure DevOps pipeline
Set secret credentials as build arguments or environment variables
Copy secure files from the Keeper Vault

Prerequisites

This page documents the Secrets Manager Azure DevOps integration. In order to utilize this integration, you will need:

- Secrets Manager addon enabled for your Keeper account
- Membership in a Role with the Secrets Manager enforcement policy enabled
- The Azure DevOps integration accepts JSON and Base64 format configurations

Installation

Install the Keeper Secrets Manager Extension

Enable the extension for your Azure organization by selecting an organization and clicking "Download".

Access Secrets From Azure Pipelines

Since v1.0.4 extension allows use of a search by title syntax, where UID portion could be replaced with the record title and must be escaped according to Keeper Notation rules then it must follow YAML format specifications for escaping special characters.

Create a Keeper Secrets Manager Task

Keeper Secrets Manager tasks look like this:

- task: ksmazpipelinetask@1
  inputs:
    keepersecretconfig: $(secret_config)
    secrets: |
      6ya_fdc6XTsZ7i4x9Jcodg/field/password > var:var_password
      6ya_fdc6XTsZ7i4x9Jcodg/field/password > out:out_password
      6ya_fdc6XTsZ7i4x9Jcodg/field/password > out_password2
      6ya_fdc6XTsZ7i4x9Jcodg/file/cert.pem > file:/tmp/mycert.pem

In this example, 6ya_fdc6XTsZ7i4x9Jcodg is the Record UID. In order to add a task, you can create a task using a Task Form, or add it manually.

Add Task Using a Task Form

Search the Tasks menu for "Keeper Secrets Manager" to open the task form.

To fill in the task form and create a Keeper Secrets Manager Task, you will need:

- The Azure DevOps Extension accepts JSON and base64 configurations.

Submit the form to add a task to your configuration automatically.

Manually add Task

To add a task manually to the pipeline configuration, follow this syntax:

- task: <Task Name>
  inputs:
    keepersecretconfig: <Secrets Manager Configuration>
    secrets: |
      <Secrets Queries>

- task: ksmazpipelinetask@1
  inputs:
    keepersecretconfig: $(secret_config)
    secrets: |
      6ya_fdc6XTsZ7i7x9Jcodg/field/password > pazzword
      6ya_fdc6XTsZ7i7x9Jcodg/field/login > LOGIN
      6ya_fdc6XTsZ7i7x9Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh

Keeper Secret Queries

Queries for secrets in the Keeper Vault use the following syntax:

Get a Standard Field Value

Syntax

[UID]/field/[FIELD NAME] > [VARIABLE NAME]

Example

6ya_fdc6XTsZ7i7x9Jcodg/field/password > my_password

Get a Custom Field Value

Syntax

[UID]/custom_field/[FIELD NAME] > [VARIABLE NAME]

Example

6ya_fdc6XTsZ7i7x9Jcodg/custom_field/notes > MyNotes

Get a Two-Factor Code

Syntax

[UID]/field/oneTimeCode > [VARIABLE NAME]

Example

6ya_fdc6XTsZ7i7x9Jcodg/field/oneTimeCode > MyOneTimeCode

Get a File

Syntax

[UID]/file/[SECRET FILE NAME] > file:[OUTPUT FILE NAME]

Example

6ya_fdc6XTsZ7i7x9Jcodg/file/cert.pem > file:secret-cert.pem

Variable Types

When saving a secret from the Keeper vault as a variable on your Pipeline, there are a few options for how to set those variables, depending on your needs.

OUT

out (default) sets the secret to a variable which is accessible in any jobs in the pipeline. If you do not define a variable type, out will be used by default.

6ya_fdc6XTsZ7i7x9Jcodg/field/password > pazzword
6ya_fdc6XTsZ7i7x9Jcodg/field/password > out:my_password

VAR

var sets the secret to a local variable, usable within the same pipeline job.

6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:my_password

FILE

file sets the contents to a file. Usually used to access certificates and other files from the Keeper Vault.

6ya_fdc6XTsZ7i7x9Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh

ENVIRONMENT VARIABLE

env set the secret as an environment variable which the build machine can access.

To do this, you first need to set the secret to a pipeline variable, then set it as an environment variable in the bash task.

- task: ksmazpipelinetask@1
  name: getKeeperSecrets
  inputs:
    keepersecretconfig: $(sm-config)
    secrets: |
      6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:var_password
      
- bash: |
        echo "Using the mapped env variable: $MY_MAPPED_ENV_VAR_PASSWORD"
    env:
        $MY_MAPPED_ENV_VAR_PASSWORD: $(var_password)

Example Usage

Get Secrets From Keeper

This example pipeline sets secrets from the Keeper Vault to variables and echoes them. Note that echoed passwords are masked.

trigger:
- master

pool:
  vmImage: ubuntu-latest

steps:

- task: ksmazpipelinetask@1
  name: setKsmSecretsStep
  inputs:
    keepersecretconfig: $(sm-config)
    secrets: |
      6ya_fdc6XTsZ7i7x4Jcodg/field/password > var:var_password
      6ya_fdc6XTsZ7i7x4Jcodg/field/password > out_password2
      6ya_fdc6XTsZ7i7x4Jcodg/field/password > out:out_password
      6ya_fdc6XTsZ7i7x4Jcodg/field/oneTimeCode > var:MyOneTimeCode
      6ya_fdc6XTsZ7i7x4Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh

- bash: |
    echo "Using an input-macro works                : $(var_password)"
    echo "Using an output variable (default method) : $(setKsmSecretsStep.out_password2)"
    echo "Using an output variable                  : $(setKsmSecretsStep.out_password)"
    echo "Using an output variable for totp         : $(setKsmSecretsStep.out_password)"
    echo "Using the mapped env var                  : $(MyOneTimeCode)"
    echo "Check injected secret file                : $(file /tmp/build-vsix.sh)"
  env:
    MY_MAPPED_ENV_VAR_PASSWORD: $(var_password) # the recommended way to map to an env variable
  name: display_secret_values

Use Secrets in Multiple Jobs

This example gets passwords and files from Keeper, and utilizes those passwords and files in another job.

trigger:
- master

pool:
  vmImage: ubuntu-latest

jobs:
- job: ksmSecrets
  displayName: "Inject KSM Secrets"

  steps:

  - task: ksmazpipelinetask@1
    name: setKsmSecretsStep
    inputs:
      keepersecretconfig: $(sm-config)
      secrets: |
        6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:var_password
        6ya_fdc6XTsZ7i7x9Jcodg/field/password > out:out_password
        6ya_fdc6XTsZ7i7x9Jcodg/field/password > out_password2
        6ya_fdc6XTsZ7i7x9Jcodg/file/mykey.pub > file:/tmp/public_key.pem
        6ya_fdc6XTsZ7i7x9Jcodg/file/mykey.pem > file:/tmp/private_key.pem

  - bash: |
      echo "Using an input-macro works                : $(var_password)"
      echo "Using an output variable (default method) : $(setKsmSecretsStep.out_password2)"
      echo "Using an output variable                  : $(setKsmSecretsStep.out_password)"
      echo "Using the mapped env var                  : $MY_MAPPED_ENV_VAR_PASSWORD"
      echo "Check injected secret file                : $(file /tmp/public_key.pem)"
    env:
      MY_MAPPED_ENV_VAR_PASSWORD: $(var_password) # the recommended way to map to an env variable
    name: display_secret_values

  - bash: |
      cat << EOF > decrypted.txt
      This is a decrypted message
      EOF
    name: create_text_file

  - bash: cat decrypted.txt
    name: view_decrpyted_content


  - bash: openssl rsautl -encrypt -inkey /tmp/public_key.pem -pubin -in decrypted.txt -out ecrypted.bin
    name: encrypte_file

  - bash: cat ecrypted.bin
    name: view_encrpyted_content

  - bash: openssl rsautl -decrypt -inkey /tmp/private_key.pem -in ecrypted.bin -out decrypted2.txt
    name: decrpyt_content

  - bash: cat decrypted2.txt
    name: view_decrpyted2_content


- job: encryptFileTest
  dependsOn: ksmSecrets
  variables:
    # map the output variable from A into this job
    # Note:
    #   that files can't be shared between jobs each agent can run only one job at a time
    #   one job is an independent running individual, the communication between different 
    #   jobs requires the use of "middleware", like variable, artifact and etc.
    pwdFromKsmSecrets: $[ dependencies.ksmSecrets.outputs['setKsmSecretsStep.out_password'] ]

  steps:
    - bash: |
        echo "password retrieved from job 'ksmSecrets', step 'pwdFromKsmSecrets', out variable 'setKsmSecretsStep.out_password':$(pwdFromKsmSecrets)"

PreviousAWS KMS Encryption NextAzure Key Vault Sync

Last updated 10 months ago

Was this helpful?