TFS\Team Services, Using Azure KeyVault secrets from a Variable Group in a Build Definition

Question

I have a simple Build setup in Team Services. The build simply downloads source code from a Team Services hosted Git repo and then executes a Powershell script.

The Powershell Script receives 4 parameters;

-SiteName "$(AppServiceName)" -AzureRMTenantID "$(AzureRMTenantID)" -AzureRMUN "$(AzureRMUN)" -AzureRMPW "$(AzureRMPW)"

AppServiceName is entered manually when the build is queued.

The 3 AzureRM* parameters should be coming from a Variable Group which I have linked to the Build Definition;

The Variable Group AzureDevOps is configured to Link the Secrets from Azure Key Vault as variables;

Based on everything I have been able to find regarding this pattern, it seems like it should just work.

As an interim sanity check, I am printing the variables out in my powershell script just so I can confirm they are being passed correctly.

Thus far, I have not been able to get the values of any of the AzureRM* variables to print correctly which leads me to believe they are NOT being passed as expected.

Generating script.
Formatted command: . 'd:\a\1\s\AppServices\Create Canned App Service Application.ps1' -SiteName "Testers" -AzureRMTenantID "" -AzureRMUN "" -AzureRMPW ""
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -File "d:\a\_temp\23b9a27a-4b6d-4232-8e24-150173e08915.ps1"
Working Set of Variables:
SiteName:  Testers
ResourceGroup: Applications
ASE Name: appservices-ase
Location: East US
Additional Variables:
AzureRMTenantID: 

I am not expecting the variables to be printed in the log command here;

Formatted command: . 'd:\a\1\s\AppServices\Create Canned App Service Application.ps1' -SiteName "Testers" -AzureRMTenantID "" -AzureRMUN "" -AzureRMPW ""

but I would expect them to be printed within my script where I am explicitly writing them out;

Write-Host "Working Set of Variables:`nSiteName: "$SiteName"`r`nResourceGroup: "$RG"`r`nASE Name: "$ASEName"`r`nLocation: "$Location
Write-Host "Additional Variables:`nAzureRMTenantID: "$AzureRMTenantID"`r`n"$AzureRMUN"`r`n"$AzureRMPW

If I run the PS script locally, the values do print as expected;

PS C:\ashley\scm\AzureAutomation\AppServices> & '.\Create Canned App Service Application.ps1' -SiteName "tester" -AzureRMTenantID 12345 -AzureRMUN user -AzureRMPW 1234
Working Set of Variables:
SiteName:  tester
ResourceGroup: Applications
ASE Name: appservices-ase
Location: East US
Additional Variables:
AzureRMTenantID:  12345
user
1234

Does anyone know how to make this work? I am wondering if the problem has to do with the KeyVault permissions since the request is coming from the "Hosted 2017" Agent Queue built into Team Services.

Answer 1

The Key Vault support currently works only with Release Definitions. You can create a Release Definition and link your Git Repo as an artifact and can achieve the same.

I receive this error while linking Azure Keyvault VG to BD.

Answer 2

First, you can’t print out the secret variables’ value, you can send the data to a service (e.g. Web API) to get the actual data during the build/release.

Secondly, the Key Vault secrets variables are used for release, it will add Azure Key Vault task during the release. Link secrets from an Azure Key vault as variables

You will get the empty value if you are using in build. You can add Key Vault Task to the build definition, then you can use the related variables in the following tasks. (Do not need to link to that variable group in build definition)