Use this Azure DevOps extension to safely retrieve and use secrets from your AKeyless vault. The task will login to AKeyless using Azure service connection JWT authentication and then fetch static secrets or a dynamic secret producer.

• Getting Started
• Inputs
• Outputs
• Static Secrets
• Dynamic Secrets

You can add the extension to your Azure DevOps pipeline in one of two ways:

• Option 1 - Search for 'akeyless secrets' when adding a new task.
• Option 2 - Go to Akeyless Extensions - Visual Studio Marketplace

If this is your first time using the extension, please visit the documentation to have the required prerequisites prepared.

• Getting Started - Setup akeyless and Azure service principal
• Example (Tutorial) - Complete walkthough demo

The task's outputs are determined by the values set in your staticSecrets and dynamicSecrets inputs. In order to access these outputs, you need to set the reference name of the task.

When writing the task in YAML, you set the reference name using the name property:

- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'this is only for display purposes'

If you are using classic pipelines, you will find the Reference Name setting under the Output Variables section:

Now with the reference name, you can access the output(s):

$(MyAkeylessTask.my_output)

For static secrets, you will get an individual secret output variables for each secret. For example:

steps:
- task: AzureCLI@2
  name: 'AzureCLI'
  displayName: 'Get JWT from Azure'
  inputs:
    azureSubscription: 'My Azure Service Principal'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: |
     $JWT=$(az account get-access-token --query accessToken --output tsv)
     echo "##vso[task.setvariable variable=azure_jwt;isoutput=true;issecret=true]$JWT"

- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'Get Secrets from Akeyless'
  inputs:
    accessid: 'p-123456'
    azureJwt: '$(AzureCLI.azure_jwt)'
    staticSecrets: '{"/path/to/first-secret":"first_secret", "/path/to/second-secret":"second_secret" }'

Notice how we are using the azure_jwt output from the AzureCLI task to hold the JWT, then use it in the Akeyless task with $(AzureCLI.azure_jwt).

You will have $(MyAkeylessTask.first_secret) and $(MyAkeylessTask.second_secret) available in subsequent tasks of that job.

For dynamic secrets, the output variable that holds all of that dynamic secret's output. For example:

steps:
- task: AzureCLI@2
  name: 'AzureCLI'
  displayName: 'Get JWT from Azure'
  inputs:
    azureSubscription: 'My Azure Service Principal'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: |
     $FRESH_JWT=$(az account get-access-token --query accessToken --output tsv)
     echo "##vso[task.setvariable variable=azure_jwt;isoutput=true;issecret=true]$FRESH_JWT"

# We are using $(AzureCLI.azure_jwt)
- task: akeyless-secrets@1
  name: 'MyAkeylessTask'
  displayName: 'Get Secrets from Akeyless'
  inputs:
    accessid: 'p-123456'
    azureJwt: '$(AzureCLI.azure_jwt)'
    staticSecrets: '{"/path/to/dynamic/secret":"my_dynamic_secret"}'

You will have $(MyAkeylessTask.my_dynamic_secret) available in subsequent tasks of that job. Note that dynamic secrets tend to be complex objects and you will likely need to further process the value to get an inner value.

For example, with a SQL dynamics secret you you can use jq to get at each separate value.

echo '$(MyAkeylessTask.MY_SQL_DYNAMIC_SECRET)' | jq -r 'to_entries|map("SQL_\(.key|ascii_upcase)=\(.value|tostring)")|.[]' >> $SQL

echo $SQL.id
echo $SQL.user
echo $SQL.ttl_in_minutes
echo $SQL.password