Secrets Safe Secret Retrieval

Retrieve Secrets from DevOps Secrets Safe

This extension allows for the retrieval of ASCII secrets from an Azure accessable instance of DevOps Secrets Safe.

Prerequisites

In order for this extension to retrieve a secret for use in a given Azure DevOps pipeline, the DevOps Secrets Safe instance must be preconfigured with the secret in question and an application principal authorized to read it. The URI of the secret and both the application name and API key assigned to the application will be required as input values for this extension.

Secrets Safe Instance Configuration

Enter the public hostname/IP of the Secrets Safe instance, along with the port, api version, request timeout (seconds), and server certificate verification flag. The default values are shown in the diagram above.

Note: the build agents will require access to the certificate authority used to sign the certificate used by the Secrets Safe cluster ingress service, be it a publicly available certificate or installed to the build agent itself.

Authentication

Enter the name of the application authorized to read the secret to be requested, along with the associated API key. The default application name will be azure-devops unless specified.

Secret

Enter the URI of the requested secret, and the name of the pipeline variable to populate. If this variable is configured as secret, then this extension will both populate the value and retain the secret state, not logging the output to the task log. The secret variable will then be able to be used in a subsequent task in the pipeline without ever having the value exposed.

Note: Multi-line values are allowed only if the storage variable is not marked secret. Azure DevOps secret pipeline variables only support single line secrets, and the Secrets Safe secret retrieval will fail accordingly if a requested secret is multilined and requested to populate a secret pipeline variable.