Enable the extension for your Azure organization by selecting an organization and clicking "Download".
Access Secrets From Azure Pipelines
In order to access secrets from the Keeper Vault, add a task to your Azure Pipelines YAML configuration file. Then query your records for the desired fields.
Secret queries use Keeper Notation and have the following syntax KeeperNotation > destination where the destination location is defined by its prefix var:, out: or file: see the examples below.
Since v1.0.4 extension allows use of a search by title syntax, where UID portion could be replaced with the record title and must be escaped according to Keeper Notation rules then it must follow YAML format specifications for escaping special characters.
While it is possible to simply copy a Keeper Secrets Manager configuration into the pipeline, we recommend keeping the Secrets Manager configuration in an Azure Key Vault that is accessible to your Azure Pipeline. See Microsoft's documentation to learn more about Azure Key Vault.
Submit the form to add a task to your configuration automatically.
Manually add Task
To add a task manually to the pipeline configuration, follow this syntax:
When saving a secret from the Keeper vault as a variable on your Pipeline, there are a few options for how to set those variables, depending on your needs.
OUT
out (default) sets the secret to a variable which is accessible in any jobs in the pipeline. If you do not define a variable type, out will be used by default.
This example pipeline sets secrets from the Keeper Vault to variables and echoes them. Note that echoed passwords are masked.
trigger:- masterpool:vmImage:ubuntu-lateststeps:- task:ksmazpipelinetask@1name:setKsmSecretsStepinputs:keepersecretconfig:$(sm-config)secrets:| 6ya_fdc6XTsZ7i7x4Jcodg/field/password > var:var_password 6ya_fdc6XTsZ7i7x4Jcodg/field/password > out_password2 6ya_fdc6XTsZ7i7x4Jcodg/field/password > out:out_password 6ya_fdc6XTsZ7i7x4Jcodg/field/oneTimeCode > var:MyOneTimeCode 6ya_fdc6XTsZ7i7x4Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh- bash:| echo "Using an input-macro works : $(var_password)" echo "Using an output variable (default method) : $(setKsmSecretsStep.out_password2)" echo "Using an output variable : $(setKsmSecretsStep.out_password)" echo "Using an output variable for totp : $(setKsmSecretsStep.out_password)" echo "Using the mapped env var : $(MyOneTimeCode)" echo "Check injected secret file : $(file /tmp/build-vsix.sh)"env:MY_MAPPED_ENV_VAR_PASSWORD:$(var_password)# the recommended way to map to an env variablename:display_secret_values
Use Secrets in Multiple Jobs
This example gets passwords and files from Keeper, and utilizes those passwords and files in another job.
trigger:- masterpool:vmImage:ubuntu-latestjobs:- job:ksmSecretsdisplayName:"Inject KSM Secrets"steps: - task:ksmazpipelinetask@1name:setKsmSecretsStepinputs:keepersecretconfig:$(sm-config)secrets:| 6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:var_password 6ya_fdc6XTsZ7i7x9Jcodg/field/password > out:out_password 6ya_fdc6XTsZ7i7x9Jcodg/field/password > out_password2 6ya_fdc6XTsZ7i7x9Jcodg/file/mykey.pub > file:/tmp/public_key.pem 6ya_fdc6XTsZ7i7x9Jcodg/file/mykey.pem > file:/tmp/private_key.pem - bash:| echo "Using an input-macro works : $(var_password)" echo "Using an output variable (default method) : $(setKsmSecretsStep.out_password2)" echo "Using an output variable : $(setKsmSecretsStep.out_password)" echo "Using the mapped env var : $MY_MAPPED_ENV_VAR_PASSWORD" echo "Check injected secret file : $(file /tmp/public_key.pem)"env:MY_MAPPED_ENV_VAR_PASSWORD:$(var_password)# the recommended way to map to an env variablename:display_secret_values - bash:| cat << EOF > decrypted.txt This is a decrypted message EOFname:create_text_file - bash:cat decrypted.txtname:view_decrpyted_content - bash:openssl rsautl -encrypt -inkey /tmp/public_key.pem -pubin -in decrypted.txt -out ecrypted.binname:encrypte_file - bash:cat ecrypted.binname:view_encrpyted_content - bash:openssl rsautl -decrypt -inkey /tmp/private_key.pem -in ecrypted.bin -out decrypted2.txtname:decrpyt_content - bash:cat decrypted2.txtname:view_decrpyted2_content- job:encryptFileTestdependsOn:ksmSecretsvariables:# map the output variable from A into this job# Note:# that files can't be shared between jobs each agent can run only one job at a time# one job is an independent running individual, the communication between different # jobs requires the use of "middleware", like variable, artifact and etc.pwdFromKsmSecrets:$[ dependencies.ksmSecrets.outputs['setKsmSecretsStep.out_password'] ]steps: - bash:| echo "password retrieved from job 'ksmSecrets', step 'pwdFromKsmSecrets', out variable 'setKsmSecretsStep.out_password':$(pwdFromKsmSecrets)"