Read a Secret from an Azure Key Vault in Azure Pipelines

1.25 hours
  • 4 Learning Objectives

About this Hands-on Lab

You are deploying a database and application using Azure DevOps, but you don’t want to store the database passwords within the repo or within the pipeline. Use Azure Key Vault in the release pipeline to read a secret for the deployment.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create an Azure DevOps Organization

Create a new Azure DevOps Organization and create a project called MyFirstProject.

Create a Build Pipeline

Import the code for the lab located in this GitHub repository, and select the keyvault branch. Create a pipeline using the keyvault branch.

Create an Azure Key Vault

Create an Azure Key Vault and then create a secret. The secret should be called sqldbpassword, and the value can be any strong password you choose.

Note: The password must be at least 8 characters in length and must contain upper and lowercase letters, a number, and a symbol.

Create a Release Pipeline

Create a new release pipeline to deploy an Azure WebApp that ulitizes the Azure Key Vault secret.

Additional Resources


Start by logging into the Azure portal and searching for Azure DevOps from the services menu. Proceed to create a new Azure DevOps organization and project named MyFirstProject. Select Azure Repos and import the following code from the GitHub repository.

The application is located on the keyvault branch. Proceed to import the code on keyvault into your newly created Azure Repos repository. Once you've imported the code, create a build pipeline that will package up the code and publish the build artifacts to the staging directory.

Create an Azure KeyVault resource that will give permissions to the provided service principal to list and get secret access. Proceed to create the secret named sqldbpassword with a secure password.

Proceed to create the release pipeline to deploy the web app to Azure using the keyvault secret. Make sure to use a service connection with the service principal keys provided.

Override template parameters: -webAppName $(webAppName) -mySQLAdminLoginName "azureuser" -mySQLAdminLoginPassword $(sqldbpassword)

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?