Azure DevOps Extension
Keeper Secrets Manager integration into Azure DevOps for dynamic secrets retrieval
Features
Retrieve secrets from the Keeper Vault from an Azure DevOps pipeline
Set secret credentials as build arguments or environment variables
Copy secure files from the Keeper Vault
For a complete list of Keeper Secrets Manager features see the Overview
Prerequisites
This page documents the Secrets Manager Azure DevOps integration. In order to utilize this integration, you will need:
Keeper Secrets Manager access (See the Quick Start Guide for more details)
Secrets Manager addon enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
A Keeper Secrets Manager Application with secrets shared to it
See the Quick Start Guide for instructions on creating an Application
An initialized Keeper Secrets Manager Configuration
The Azure DevOps integration accepts JSON and Base64 format configurations
Installation
Install the Keeper Secrets Manager Extension
Download from the Visual Studio Marketplace here or search for "Keeper Secrets Manager"
Enable the extension for your Azure organization by selecting an organization and clicking "Download".
Access Secrets From Azure Pipelines
In order to access secrets from the Keeper Vault, add a task to your Azure Pipelines YAML configuration file. Then query your records for the desired fields.
Secret queries use Keeper Notation and have the following syntax KeeperNotation > destination
where the destination location is defined by its prefix var:
, out:
or file:
see the examples below.
Since v1.0.4 extension allows use of a search by title syntax, where UID portion could be replaced with the record title and must be escaped according to Keeper Notation rules then it must follow YAML format specifications for escaping special characters.
Create a Keeper Secrets Manager Task
Keeper Secrets Manager tasks look like this:
In this example, 6ya_fdc6XTsZ7i4x9Jcodg
is the Record UID. In order to add a task, you can create a task using a Task Form, or add it manually.
Add Task Using a Task Form
Search the Tasks menu for "Keeper Secrets Manager" to open the task form.
To fill in the task form and create a Keeper Secrets Manager Task, you will need:
A Keeper Secrets Manager Configuration
The Azure DevOps Extension accepts JSON and base64 configurations.
One or more Secret queries (See query syntax below)
While it is possible to simply copy a Keeper Secrets Manager configuration into the pipeline, we recommend keeping the Secrets Manager configuration in an Azure Key Vault that is accessible to your Azure Pipeline. See Microsoft's documentation to learn more about Azure Key Vault.
Submit the form to add a task to your configuration automatically.
Manually add Task
To add a task manually to the pipeline configuration, follow this syntax:
Keeper Secret Queries
Queries for secrets in the Keeper Vault use the following syntax:
Get a Standard Field Value
Syntax
Example
Get a Custom Field Value
Syntax
Example
Get a Two-Factor Code
Syntax
[UID]/field/oneTimeCode > [VARIABLE NAME]
Example
Get a File
Syntax
Example
Variable Types
When saving a secret from the Keeper vault as a variable on your Pipeline, there are a few options for how to set those variables, depending on your needs.
OUT
out
(default) sets the secret to a variable which is accessible in any jobs in the pipeline. If you do not define a variable type, out
will be used by default.
VAR
var
sets the secret to a local variable, usable within the same pipeline job.
FILE
file
sets the contents to a file. Usually used to access certificates and other files from the Keeper Vault.
ENVIRONMENT VARIABLE
env
set the secret as an environment variable which the build machine can access.
To do this, you first need to set the secret to a pipeline variable, then set it as an environment variable in the bash task.
Example Usage
Get Secrets From Keeper
This example pipeline sets secrets from the Keeper Vault to variables and echoes them. Note that echoed passwords are masked.
Use Secrets in Multiple Jobs
This example gets passwords and files from Keeper, and utilizes those passwords and files in another job.
Last updated