Azure DevOps Extension
Keeper Secrets Manager integration into Azure DevOps for dynamic secrets retrieval

Prerequisites

This page documents the Secrets Manager Azure DevOps integration. In order to utilize this integration, you will need:
  • Keeper Secrets Manager access (See the Quick Start Guide for more details)
    • Secrets Manager addon enabled for your Keeper account
    • Membership in a Role with the Secrets Manager enforcement policy enabled
  • A Keeper Secrets Manager Application with secrets shared to it
  • An initialized Keeper Secrets Manager Configuration
    • The Azure DevOps integration accepts JSON and Base64 format configurations

Installation

Install the Keeper Secrets Manager Extension

Download from the Visual Studio Marketplace here or search for "Keeper Secrets Manager"
Enable the extension for your Azure organization by selecting an organization and clicking "Download".

Access Secrets From Azure Pipelines

In order to access secrets from the Keeper Vault, add a task to your Azure Pipelines YAML configuration file. Then query your records for the desired fields.

Create a Keeper Secrets Manager Task

Keeper Secrets Manager tasks look like this:
2
inputs:
3
keepersecretconfig: $(secret_config)
4
secrets: |
5
6ya_fdc6XTsZ7i4x9Jcodg/field/password > var:var_password
6
6ya_fdc6XTsZ7i4x9Jcodg/field/password > out:out_password
7
6ya_fdc6XTsZ7i4x9Jcodg/field/password > out_password2
8
6ya_fdc6XTsZ7i4x9Jcodg/file/cert.pem > file:/tmp/mycert.pem
9
Copied!
In this example, 6ya_fdc6XTsZ7i4x9Jcodg is the Record UID. In order to add a task, you can create a task using a Task Form, or add it manually.

Add Task Using a Task Form

Search the Tasks menu for "Keeper Secrets Manager" to open the task form.
To fill in the task form and create a Keeper Secrets Manager Task, you will need:
While it is possible to simply copy a Keeper Secrets Manager configuration into the pipeline, we recommend keeping the Secrets Manager configuration in an Azure Key Vault that is accessible to your Azure Pipeline. See Microsoft's documentation to learn more about Azure Key Vault.
Submit the form to add a task to your configuration automatically.

Manually add Task

To add a task manually to the pipeline configuration, follow this syntax:
Syntax
Example
1
- task: <Task Name>
2
inputs:
3
keepersecretconfig: <Secrets Manager Configuration>
4
secrets: |
5
<Secrets Queries>
Copied!
2
inputs:
3
keepersecretconfig: $(secret_config)
4
secrets: |
5
6ya_fdc6XTsZ7i7x9Jcodg/field/password > pazzword
6
6ya_fdc6XTsZ7i7x9Jcodg/field/login > LOGIN
7
6ya_fdc6XTsZ7i7x9Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh
Copied!

Keeper Secret Queries

Queries for secrets in the Keeper Vault use the following syntax:

Get a Standard Field Value

Syntax
1
[UID]/field/[FIELD NAME] > [VARIABLE NAME]
Copied!
Example
1
6ya_fdc6XTsZ7i7x9Jcodg/field/password > my_password
Copied!

Get a Custom Field Value

Syntax
1
[UID]/custom_field/[FIELD NAME] > [VARIABLE NAME]
Copied!
Example
1
6ya_fdc6XTsZ7i7x9Jcodg/custom_field/notes> MyNotes
Copied!

Get a File

Syntax
1
[UID]/file/[SECRET FILE NAME] > file:[OUTPUT FILE NAME]
Copied!
Example
1
6ya_fdc6XTsZ7i7x9Jcodg/file/cert.pem > file:secret-cert.pem
Copied!

Variable Types

When saving a secret from the Keeper vault as a variable on your Pipeline, there are a few options for how to set those variables, depending on your needs.
OUT
out (default) sets the secret to a variable which is accessible in any jobs in the pipeline. If you do not define a variable type, out will be used by default.
1
6ya_fdc6XTsZ7i7x9Jcodg/field/password > pazzword
2
6ya_fdc6XTsZ7i7x9Jcodg/field/password > out:my_password
Copied!
VAR
var sets the secret to a local variable, usable within the same pipeline job.
1
6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:my_password
Copied!
FILE
file sets the contents to a file. Usually used to access certificates and other files from the Keeper Vault.
1
6ya_fdc6XTsZ7i7x9Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh
Copied!
ENVIRONMENT VARIABLE
env set the secret as an environment variable which the build machine can access.
To do this, you first need to set the secret to a pipeline variable, then set it as an environment variable in the bash task.
2
name: getKeeperSecrets
3
inputs:
4
keepersecretconfig: $(sm-config)
5
secrets: |
6
6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:var_password
7
8
- bash: |
9
echo "Using the mapped env variable: $MY_MAPPED_ENV_VAR_PASSWORD"
10
env:
11
$MY_MAPPED_ENV_VAR_PASSWORD: $(var_password)
Copied!

Example Usage

Get Secrets From Keeper

This example pipeline sets secrets from the Keeper Vault to variables and echoes them. Note that echoed passwords are masked.
1
trigger:
2
- master
3
4
pool:
5
vmImage: ubuntu-latest
6
7
steps:
8
10
name: setKsmSecretsStep
11
inputs:
12
keepersecretconfig: $(sm-config)
13
secrets: |
14
6ya_fdc6XTsZ7i7x4Jcodg/field/password > var:var_password
15
6ya_fdc6XTsZ7i7x4Jcodg/field/password > out_password2
16
6ya_fdc6XTsZ7i7x4Jcodg/field/password > out:out_password
17
6ya_fdc6XTsZ7i7x4Jcodg/file/build-vsix.sh > file:/tmp/build-vsix.sh
18
19
- bash: |
20
echo "Using an input-macro works : $(var_password)"
21
echo "Using an output variable (default method) : $(setKsmSecretsStep.out_password2)"
22
echo "Using an output variable : $(setKsmSecretsStep.out_password)"
23
echo "Using the mapped env var : $MY_MAPPED_ENV_VAR_PASSWORD"
24
echo "Check injected secret file : $(file /tmp/build-vsix.sh)"
25
env:
26
MY_MAPPED_ENV_VAR_PASSWORD: $(var_password) # the recommended way to map to an env variable
27
name: display_secret_values
Copied!

Use Secrets in Multiple Jobs

This example gets passwords and files from Keeper, and utilizes those passwords and files in another job.
1
trigger:
2
- master
3
4
pool:
5
vmImage: ubuntu-latest
6
7
jobs:
8
- job: ksmSecrets
9
displayName: "Inject KSM Secrets"
10
11
steps:
12
14
name: setKsmSecretsStep
15
inputs:
16
keepersecretconfig: $(sm-config)
17
secrets: |
18
6ya_fdc6XTsZ7i7x9Jcodg/field/password > var:var_password
19
6ya_fdc6XTsZ7i7x9Jcodg/field/password > out:out_password
20
6ya_fdc6XTsZ7i7x9Jcodg/field/password > out_password2
21
6ya_fdc6XTsZ7i7x9Jcodg/file/mykey.pub > file:/tmp/public_key.pem
22
6ya_fdc6XTsZ7i7x9Jcodg/file/mykey.pem > file:/tmp/private_key.pem
23
24
- bash: |
25
echo "Using an input-macro works : $(var_password)"
26
echo "Using an output variable (default method) : $(setKsmSecretsStep.out_password2)"
27
echo "Using an output variable : $(setKsmSecretsStep.out_password)"
28
echo "Using the mapped env var : $MY_MAPPED_ENV_VAR_PASSWORD"
29
echo "Check injected secret file : $(file /tmp/public_key.pem)"
30
env:
31
MY_MAPPED_ENV_VAR_PASSWORD: $(var_password) # the recommended way to map to an env variable
32
name: display_secret_values
33
34
- bash: |
35
cat << EOF > decrypted.txt
36
This is a decrypted message
37
EOF
38
name: create_text_file
39
40
- bash: cat decrypted.txt
41
name: view_decrpyted_content
42
43
44
- bash: openssl rsautl -encrypt -inkey /tmp/public_key.pem -pubin -in decrypted.txt -out ecrypted.bin
45
name: encrypte_file
46
47
- bash: cat ecrypted.bin
48
name: view_encrpyted_content
49
50
- bash: openssl rsautl -decrypt -inkey /tmp/private_key.pem -in ecrypted.bin -out decrypted2.txt
51
name: decrpyt_content
52
53
- bash: cat decrypted2.txt
54
name: view_decrpyted2_content
55
56
57
- job: encryptFileTest
58
dependsOn: ksmSecrets
59
variables:
60
# map the output variable from A into this job
61
# Note:
62
# that files can't be shared between jobs each agent can run only one job at a time
63
# one job is an independent running individual, the communication between different
64
# jobs requires the use of "middleware", like variable, artifact and etc.
65
pwdFromKsmSecrets: $[ dependencies.ksmSecrets.outputs['setKsmSecretsStep.out_password'] ]
66
67
steps:
68
- bash: |
69
echo "password retrieved from job 'ksmSecrets', step 'pwdFromKsmSecrets', out variable 'setKsmSecretsStep.out_password':$(pwdFromKsmSecrets)"
Copied!
Last modified 26d ago