Friday, February 21, 2025

How to integrate Azure Key Vault for secret management during the GitLab CI/CD process

To integrate Azure Key Vault for secret management during the GitLab CI/CD process, follow these steps:

------

1. Prerequisites

Azure Key Vault Created

Azure CLI installed

Service Principal or Managed Identity with Key Vault access

Secrets stored in Azure Key Vault

------

2. Grant Access to Key Vault

Grant your GitLab Service Principal access to Key Vault secrets:

az keyvault set-policy --name <KEYVAULT_NAME> \
    --spn "$AZURE_APP_ID" \
    --secret-permissions get list

This allows the Service Principal to read secrets from Key Vault.

------

3. Store Secrets in Key Vault

Store sensitive values in Azure Key Vault:

az keyvault secret set --vault-name <KEYVAULT_NAME> --name "MY_SECRET" --value "my-sensitive-value"

-------

4. Modify .gitlab-ci.yml to Fetch Secrets from Key Vault

Update your GitLab CI/CD pipeline to retrieve secrets securely from Azure Key Vault.

stages:
  - deploy

variables:
  AZURE_RESOURCE_GROUP: "my-resource-group"
  FUNCTION_APP_NAME: "$AZURE_FUNCTIONAPP_NAME"
  KEYVAULT_NAME: "<Your-KeyVault-Name>"

deploy_to_azure:
  image: mcr.microsoft.com/azure-cli
  stage: deploy
  script:
    - echo "Logging into Azure..."
    - az login --service-principal -u "$AZURE_APP_ID" -p "$AZURE_PASSWORD" --tenant "$AZURE_TENANT_ID"
    - az account set --subscription "$AZURE_SUBSCRIPTION_ID"

    - echo "Fetching secrets from Key Vault..."
    - MY_SECRET=$(az keyvault secret show --name "MY_SECRET" --vault-name "$KEYVAULT_NAME" --query "value" -o tsv)

    - echo "Setting environment variables for deployment..."
    - echo "MY_SECRET=$MY_SECRET" >> .env  # If using environment variables

    - echo "Deploying Function App..."
    - func azure functionapp publish $FUNCTION_APP_NAME
  only:
    - main

--------

5. Secure Secrets in the Function App

Instead of exposing secrets in GitLab, you can store them in Azure App Configuration dynamically:

az functionapp config appsettings set --name $FUNCTION_APP_NAME --resource-group $AZURE_RESOURCE_GROUP \
    --settings "MY_SECRET=@Microsoft.KeyVault(SecretUri=https://$KEYVAULT_NAME.vault.azure.net/secrets/MY_SECRET/)"

This allows Azure Functions to fetch secrets securely at runtime.

-------

6. Verify the Secret in the Function App

After deployment, verify if the secret is correctly injected:

az functionapp config appsettings list --name $FUNCTION_APP_NAME --resource-group $AZURE_RESOURCE_GROUP

Posted by at 11:35 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts Plugin for WordPress, Blogger...