Use Azure Key Vault secrets in your pipeline

1. Sign in to the Azure portal, and then select Create a resource.

2. Under Key Vault, select Create to create a new Azure key vault.

3. Select your subscription from the dropdown menu, and then select an existing resource group or create a new one. Enter a key vault name, select a region, choose a pricing tier, and select Next if you want to configure more properties. Otherwise, select Review + create to keep the default settings.

4. After the deployment is finished, select Go to resource.

1. First, set your default region and Azure subscription:

   • Set default subscription:

     az account set --subscription <your_subscription_name_or_subscription_ID>
     

   • Set default region:

     az config set defaults.location=<your_region>
     

2. Create a new resource group to host your Azure key vault. A resource group is a container that holds related resources for an Azure solution:

   az group create --name <your-resource-group>
   

3. Create a new Azure key vault:

   az keyvault create \
    --name <your-key-vault-name> \
    --resource-group <your-resource-group>
   

Create a user-assigned managed identity

1. Sign in to the Azure portal, and then search for the Managed Identities service in the search bar.

2. Select Create, and then fill out the required fields:

   • Subscription: Select your subscription from the dropdown menu.
   • Resource group: Select an existing resource group or create a new one.
   • Region: Select a region from the dropdown menu.
   • Name: Enter a name for your user-assigned managed identity.

3. Select Review + create after you're finished.

4. After the deployment is finished, select Go to resource. Copy the subscription and client ID because you need them in the next steps.

5. Go to Settings > Properties, and copy your managed identity Tenant ID to use later.

Set up key vault access policies

1. Go to the Azure portal, and use the search bar to find the key vault that you created earlier.

2. Select Access policies, and then select Create to add a new policy.

3. Under Secret permissions, select the Get and List checkboxes.

4. Select Next, and then paste the client ID of the managed identity that you created earlier into the search bar.

5. Select your managed identity, select Next, and then Next again.

6. Review your new policy, and then select Create after you're finished.

Create a service connection

1. Sign in to your Azure DevOps organization, and then go to your project.

2. Select Project settings > Service connections, and then select New service connection.

3. Select Azure Resource Manager, and then select Next.

4. Under Identity Type, select Managed identity from the dropdown menu.

5. For Step 1: Managed identity details, fill out the fields:

   • Subscription for managed identity: Select the subscription that contains your managed identity.
   • Resource group for managed identity: Select the resource group where your managed identity is hosted.
   • Managed identity: Select your managed identity from the dropdown menu.

6. For Step 2: Azure Scope, fill out the fields:

   • Scope level for service connection: Select Subscription.
   • Subscription for service connection: Select the subscription that your managed identity accesses.
   • Resource group for service connection: (Optional) Specify this item if you want to restrict access to a specific resource group.

7. For Step 3: Service connection details, fill out the fields:

   • Service connection name: Enter a name for your service connection.
   • Service management reference: (Optional) Include context information from an ITSM database.
   • Description: (Optional) Add a description.

8. Under Security, select the Grant access permission to all pipelines checkbox to allow all pipelines to use this service connection. If you leave this checkbox blank, you need to manually grant access for each pipeline.

9. Select Save to validate and create the service connection.

   👁 Screenshot that shows how to create a managed identity Azure Resource Manager service connection.
   

Create a service principal

In this step, you create a new service principal in Azure so that your pipelines can access Azure Key Vault.

1. Go to the Azure portal, and then select the >_ icon from the top menu to open Azure Cloud Shell.

2. Select either PowerShell or Bash, depending on your preference.

3. Run the following command to create a new service principal:

   az ad sp create-for-rbac --name YOUR_SERVICE_PRINCIPAL_NAME
   

4. After the command runs, you get an output similar to the following example. Copy and save the output because you need it to create a service connection in the next step.

   {
    "appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
    "displayName": "MyServicePrincipal",
    "password": "***********************************",
    "tenant": "aaaabbbb-0000-cccc-1111-dddd2222eeee"
   }
   

Create a service connection

1. Sign in to your Azure DevOps organization, and then go to your project.

2. Select Project settings, and then select Service connections.

3. Select New service connection > Azure Resource Manager, and then select Next.

4. Select Service principal (manual), and then select Next.

5. Under Identity Type, select App registration or managed identity (manual).

6. Under Credential, select Workload identity federation.

7. Provide a name for your service connection, and then select Next.

8. Copy the Issuer and the Subject identifier values because you need them in the next step.

9. For Environment, select Azure Cloud. For Subscription scope, select Subscription.

10. Enter your Azure subscription ID and subscription name.

11. Under Authentication, paste your service principal Application (client) ID and Directory (tenant) ID values.

12. In the Security section, select the Grant access permission to all pipelines checkbox to allow all pipelines to use this service connection. If you skip this step, you need to manually grant access per pipeline.

13. Leave this page open. You come back to finish it after you create the federated credential in Azure and grant your service principal Read access at the subscription level.

    👁 Screenshot that shows how to create an Azure Resource Manager service connection by using App registration.
    

Create a federated credential in Azure

1. Go to the Azure portal, and then use the search bar to find your service principal by entering its client ID. Select the matching application from the results.

2. Under Manage, select Certificates & secrets > Federated credentials.

3. Select Add credential, and then for Federated credential scenario, select Other issuer.

4. In the Issuer field, paste the Issuer value that you copied from your service connection earlier.

5. In the Subject identifier field, paste the subject identifier that you copied earlier.

6. Enter a name for your federated credential, and then select Add after you're finished.

   👁 Screenshot that shows how to create a federated credential for a service principal in Azure.
   

Add a role assignment to your subscription

Before you can verify the connection, you need to grant the service principal Read access at the subscription level:

1. Go to the Azure portal.

2. Under Azure services, select Subscriptions, and then find and select your subscription.

3. Select Access control (IAM), and then select Add > Add role assignment.

4. Under the Role tab, select Reader, and then select Next.

5. Select User, group, or service principal, and then choose Select members.

6. In the search bar, paste your service principal's object ID, select it, and then choose Select.

7. Select Review + assign, review your settings, and then select Review + assign again to confirm.

8. After the role assignment is added, go back to your service connection in Azure DevOps and select Verify and Save to save your service connection.

Configure key vault access policies

1. Go to the Azure portal, find the key vault that you created earlier, and then select Access policies.

2. Select Create, and then under Secret permissions, add both the Get and List permissions, and then select Next.

3. Under Principal, paste your service principal's object ID, select it, and then select Next.

4. Select Next again, review your settings, and then select Save to apply the new policy.