AKeyless Extension for Azure DevOps

Use this Azure DevOps extension to safely retrieve and use secrets from your AKeyless vault. The task will login to AKeyless using Azure service connection JWT authentication and then fetch static secrets or a dynamic secret producer.

AKeyless Extension for Azure DevOps
- Getting Started
- Inputs
- Reference Outputs (YAML or Classic)
- Static Secrets
- Dynamic Secrets
  - Automatic Outputs (examples)
  - Plain Output (examples)
- Support

[!NOTE] Akeyless now has an official AzDO Task! I am 100% committed to maintaining this one because a lot of folks still rely on it, but now you have a choice for "official things only" policies 😉

Getting Started

You can add the extension to your Azure DevOps pipeline in one of two ways:

Option 1 - Search for 'akeyless secrets' when adding a new task.
Option 2 - Go to Akeyless Extensions - Visual Studio Marketplace

If this is your first time using the extension, please visit the documentation to have the required prerequisites prepared.

Getting Started - Setup akeyless and Azure service principal
Example (Tutorial) - Complete walkthough demo

Inputs

Name	Required	Type	Value	Default
`accessId`	Yes	`string`	The access id for your auth method, see Getting Started: Akeyless Setup (step 1.6)	null
`azureJwt`	Yes	`string`	This is the JWT token to authenticate with Akeyless, see Getting Started: Azure Setup	null
`staticSecrets`	No	`string`	Static secrets to fetch from AKeyless. This must be a dictionary object, where the 'key' is the secret's path in akeyless and the 'value' is what you want the output variable to be named. See important note below.	null
`dynamicSecrets`	No	`string`	Dynamic secret to fetch from AKeyless. This must be a dictionary object, where the 'key' is the secret's path in akeyless and the 'value' is what you want the output variable to be named. See important note below.	null
`apiUrl`	No	`string`	Overrides the URL to the akeyless API server. Warning - Do not set this unless you know what you're doing!	`https://api.akeyless.io`
`timeout`	No	`Number`	Overrides the default gateway request timeout of 15 seconds.	`15`
`autogenerate`	No	`Boolean`	Automatically create output variables for dynamic secrets.	`true`

[!IMPORTANT]

When defining the secrets, you need to make sure the input's format is correct. For example, a single secret would be {"/path/to/secret":"my_secret" } or for multiple secrets {"/path/to/first-secret":"first_secret", "/path/to/second-secret":"second_secret" }.

To avoid PowerShell JSON parsing errors for dynamic secrets, use an env to pass the task's outputs. See the Processing Plain Output examples.

Outputs

The task's outputs are determined by the values set in your staticSecrets and dynamicSecrets inputs. In order to access these outputs, first you must set the reference name of the task.

YAML Pipelines

When writing the task in YAML, you set the reference name using the name property:

- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'Only the task's Display Name'

Classic Pipelines

If you are using classic pipelines, you will find the Reference Name setting under the Output Variables section:

ref name

Now with the reference name, you can access the output(s):

$(MyAkeylessTask.name_of_output)

Static Secrets

For static secrets, you will get an individual secret output variables for each secret. For example:

steps:
# IMPORTANT - This task has a 'name' assigned.
- task: AzureCLI@2
  name: 'AzureCLI'
  displayName: 'Get JWT from Azure'
  inputs:
    azureSubscription: 'My Azure Service Principal'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: |
     $JWT=$(az account get-access-token --query accessToken --output tsv)
     echo "##vso[task.setvariable variable=azure_jwt;isoutput=true;issecret=true]$JWT"

- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'Get Secrets from Akeyless'
  inputs:
    accessid: 'p-123456'
    azureJwt: '$(AzureCLI.azure_jwt)'
    staticSecrets: '{"/path/to/first-secret":"firstSecret", "/path/to/second-secret":"secondSecret" }'

Notice how we are using the azure_jwt output from the AzureCLI task to hold the JWT, then use it in the Akeyless task with $(AzureCLI.azure_jwt).

You will have $(MyAkeylessTask.firstSecret) and $(MyAkeylessTask.secondSecret) available in subsequent tasks of that job.

Dynamic Secrets

For dynamic secrets, the outputs are available as both individual outputs and the entire value.

Automatic Output
Plain Output

Automatic Outputs

By default, the dynamic secret will be parsed into a separate output for every value in the secret. This uses your requested prefix and is recursive, supporting any number of nested objects it needs.

For example, if your secret is {"id": "1","person": { "username": "foo", "password": "bar"},"expiration": "123"}, then the following outputs will automatically generated for you.

prefix_ + id
prefix_ + person_username
prefix_ + person_password
prefix_ + expiration

[!Note] The prefix is the output variable name that you used when for that secret, see the automatic output example below or review the azure-pipelines.yml tester.

Automatic Output Examples

For example, here we are requesting the output variable name to be secret1.

- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'Get Secrets from Akeyless'
  inputs:
    accessid: 'p-123456'
    azureJwt: '$(AzureCLI.azure_jwt)'
    dynamicSecrets: '{"/first-dynamic-secret":"secret1"}'

As a result, you will have the following outputs available:

Write-Output "Id: $(MyAkeylessTask.secret1_id)"
Write-Output "Person_Username: $(MyAkeylessTask.secret1_person_username)"
Write-Output "Person_Password: $(MyAkeylessTask.secret1_person_password)"
Write-Output "Expires: $(MyAkeylessTask.secret1_expiration)"

Here's a screenshot of multiple dynamic secrets being requested and then accessing the autogenerated outputs.

Plain Output

The entire secret's value is produced in the output name you requested. For example, here we are using secret1 as the output name:

- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'Get Secrets from Akeyless'
  inputs:
    accessid: 'p-123456'
    azureJwt: '$(AzureCLI.azure_jwt)'
    dynamicSecrets: '{"/first-dynamic-secret":"secret1"}'

The complete value name would be in the secret1 output:

Write-Output "COMPLETE JSON RESPONSE: $(MyAkeylessTask.secret1)"

[!Caution] You need to carefully process this output, as PowerShell may throw errors while trying to convert JSON that has nested objects or quotes. See the exampels below for how to handle this situation using env for the output.

Simple Output Examples

It's important to rememebr when using the Simple Output option that dynamic secrets tend to be complex objects. You will likely need to further process the value to get to an inner value. This topic is outside the scope of this Task, I will share two examples, but GitHub Copilot is great with parsing logic.

Example 1. Using jq

You can use jq to parse out the secret's parts.


- powershell: |
    # TIP: Using the env var to avoid issues with parens in the variable name
    echo $env:DYNAMIC_SECRET_JSON | jq -r 'to_entries|map("SQL_\(.key|ascii_upcase)=\(.value|tostring)")|.[]' >> $SQL
    echo $SQL.id
    echo $SQL.user
    echo $SQL.ttl_in_minutes
    echo $SQL.password
  displayName: 'Check Entra Id JSON output'
  env:
    DYNAMIC_SECRET_JSON: $(MyAkeylessTask.MY_SQL_DYNAMIC_SECRET)

Example 2. Using ConvertFrom-Json

You can try PowerShell's ConvertFrom-Json function, which will create objects you can access through the property name:

- powershell: |
    # TIP: Using the env var to avoid issues with parens in the variable name
    $SQL = $env:DYNAMIC_SECRET_JSON | ConvertFrom-Json
    Write-Output $SQL.id
    Write-Output $SQL.user
    Write-Output $SQL.ttl_in_minutes
    Write-Output $SQL.password
  displayName: 'Check Entra Id JSON output'
  env:
    DYNAMIC_SECRET_JSON: $(MyAkeylessTask.MY_SQL_DYNAMIC_SECRET)

Support

Please open a new issue on GitHub for bug report or feature requests.

AKeyless Extensions

Lancelot Software