Friday, 30 June 2017

Handling app secrets with Azure Key Vault and Jenkins

Typical scenario in application deployment is to secure app secrets in config files like passwords. It is best to use key vaults to store them obviously, however if we have code already developed and don’t want to make changes in code to consume secrets from vault here is a trick we can use.

Azure key vault can be used to secure secrets and certificates and sensitive data in cloud. Azure key Vault is a service that allows users to encrypt keys and store them.We can encrypt keys and secrets such as authentication keys,storage account key,password,etc.

Here, is demonstration of how we can secure db password using key vault in configuration file.

-       A subscription to Microsoft Azure.
-       Jenkins server
-       Sample application where you have credentials stored in config files

Step 1 : Create “App registration”
1.Login to Azure portal
2.Go to more services and search app registrations
3.Click on New app registration Button.
Enter Following Information:
Name: <Enter Application Name>
Application type : Web App /API
Sign-On URL : <http://localhost:12345>
For more information you can check azure Document .

Once we complete registration , Azure assigns our application a unique Application ID .Copy this Application ID , Also copy App Secret . we need this in Jenkins configuration.

Step 2 : Create Azure key Vault
1.Login to Azure portal
2. Click on New → Security + Identity
3. Choose Key Vault

4.Click On Add.
Create New Key Vault.Fill Appropriate information in given blade.
For Authorisation purpose , we need to add service principle to key vault. for this we will be using our app ‘azure_vault_auth’. Go ahead and type app name in service principle .Also give permission as required in access policies

Step 3 : Adding Your secrets to Azure Key Vault
1.Go to key vault you created.
2.Select Secrets Under Settings
3.Create secret key.Provide Name and value of key.

Check Key created.

Now, We have added our secret key in azure Key vault.We need to integrate Azure Key Vault with Jenkins.

Step 4: Install and configure azure key vault plugin in jenkins

1.Compile Azure vault plugin
#cd azure-keyvault-plugin/
#apt-get install maven
#mvn install -DskipTests
#cd target/

After compilation we will get hpi file which is jenkins plugin file. This hpi file can be found in target folder . we will upload this to jenkins now.
Here , we can all content ,We just need azure-keyvault.hpi file.
Copy it to home folder of user you are logged in:
#cp azure-keyvault.hpi /home/ubuntu/

Copy azure-keyvault.hpi on local machine.
Note: You can perform this build operation on local machine itself and upload plugin to jenkins.

2. Install Azure vault plugin
Login to jenkins server
Go to manage jenkins -> manage plugin -> Advanced ->
Upload azure-keyvault.hpi file from local machine.

Save the changes.
Click on restart Jenkins after plugin is installed.

3.Configure Azure vault plugin

Manage Plugin → configure system → Azure Key Vault Plugin

Provide following information as per your azure account and key vault:
  Key Vault URL:The URL at which your KeyVault is located (e.g.
 Application ID: An Application ID in Azure Active Directory that has permission to access Key Vault.
 Application Secret : An authentication token used by your Application ID to access Azure Active Directory

Save changes.

Add Environment Variable :
Manage Plugin → Configure system →Global Properties
Add variable “DB_URL” or anything you want.Provide dummy value to it.This value will be replaced by azure key vault value.

Step 5 : Configure Sample Jenkins Job
1.Go to the Jenkins dashboard and Click on New Item.
2.Select FreeStyle project
3. In Source Code management:
Choose Git project
Provide Repository and Credentials for sample project.
4. Build Environment:
Choose  Azure Key Vault Plugin.
Provide information such as secret type ,key name and version of key.

 5. We have stored our config file in gitlab . but we have replaced secret keys such as Database URL , password with variable like DB_URL ,DB_PWD .
In jenkins , we will replace actual value of azure key while performing build.

Sample file is as below:
DBserver = DB_URL
DBUser = testuser

Execute shell
sed -i "s@DB_URL@$DB_URL@g"

You can have any config file in key value pair or anything else.Just keep secrets as variable names , which will be replaced by actual value from key vault by jenkins.

We can secure our application secrets without changing application.If you are flexible to change application then you can go for it with azure key vault.


  1. Nice, thanks! Not being familiar with Jenkins, what is not clear to me, is whether it is possible to integrate a Jenkins server to multiple Azure Key Vaults (via multiple plugins, or any other way)? Typically in large enterprises, secrets will be partitioned across applications by using multiple Key Vaults. Trying to understand can that scenario be supported?

  2. Hi Sujay,
    Yes. I agree with your comment. It is typical scenario where one application has multiple key-vaults with diff authorisations level. Plugin we used has provision to override default key-vault url to integrate multiple key-vaults for single application. Hope this clarifies your query. I would like to know if you need more information on this. I am reachable at

  3. How responsive are they to offering a quote and answering your questions? If they are tough to reach or slow to respond now, it will only get worse in the future.
    duplicate key maker

  4. Leveraging of technology for HR would mean digitizing the mundane HR activities and automating the back office and transactional activities related to recruitment, performance management, career planning, and succession planning, training and knowledge management. guarantor loans

  5. For example, locksmith tools required to install huge alarm systems will be different from the ones required to make duplicate keys after one has either lost his keys or locked the door by leaving them inside.where to get keys made near me

  6. This comment has been removed by the author.

  7. Discussing the innovation, it appears that product and applications are additionally developing, all things considered, and the development of iOS apps from couple of years is unquestionably can't be play review notifications

  8. Shabby locksmiths, the world over are respected to be only that, shoddy locksmiths. bend locksmith services

  9. At the point when the locCheap Towing
    ksmith touches base at the goal it is imperative to request recognizable proof, including a locksmith permit where one is pertinent.

  10. A few violations are executed by office or hands on individuals who exploit others when they wouldn't dare hoping anymore. tow truck

  11. The experts at JC Manhattan Locksmiths pride themselves on providing the best local locksmith service to assist you. Contact us today for a FREE ESTIMATE and visit here

  12. This is the means by which you ought to approach supplanting the entryway locks of your car. car dealerships near me

  13. Out of all the states, only fifteen of them require locksmith licensing, making it a crime work or even advertise as a locksmith without valid credentials. Check if your state is one of the 15 states on Google.
    Colorado Springs Locksmith

  14. The world is moving to where each choice is information drivenFree Reprint Articles, and Azure Machine Learning can control a ton of those choices that would prompt Azure advancement. machine learning course in pune

  15. Youngsters are captured particularly when they are distant from everyone else at home. So they ought to be told for not opening the entryway for obscure individual.locksmith in north colorado

  16. Kids are seized particularly when they are separated from everyone else at home. So they ought to be told for not opening the entryway for obscure individual. Longmont lockout services

  17. At the point when the rounded lock is driven further into the lock, it powers the pins to open individually gradually until they stop thusly restricting driver pins. locksmith in Firestone, CO

  18. This comment has been removed by the author.

  19. I invite you to the page where see how much we have in common. northshore university connect

  20. i am browsing this website dailly , and get nice facts from here all the time .

  21. They can open the easiest bolts and unravel the hardest mechanized lock frameworks. mobile locksmith gold coast

  22. i am browsing this website dailly , and get nice facts from here all the time .

  23. Great content material and great layout. Your website deserves all of the positive feedback it’s been getting. buy active instagram likes

  24. I’ve been surfing online more than 5 hours today, yet I never found any interesting article like yours without a doubt. It’s pretty worth enough for me. Thanks... tutorial como baixar Appvn apk para seu celular


  25. Subscribe to: Post a Comment (Atom)" intitle:games

  26. I recently noticed your website back i are generally looking through which on a daily basis. You’ve got a loads of information at this site so i actually like your look to the web a tad too. Maintain the best show results! London Locksmith

  27. Understanding the context in which processes exist, the democratizing potential of technology, vaughan townhomes for sale and the types of people will help you achieve the goals stated above for a more rapid payoff from a smoother introduction of new technologies.

  28. Thank you for such a wonderful blog. It's a very great concept and I learn more details from your blog. Try
    Elasticsearch Training
    AWS Devops Training
    CyberSecurity Training

  29. I think we all wish to thank so many good articles, blog to share with us. trig identities for calculus

  30. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... UL1642 lithium battery test

  31. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. blackmart apk zippy

  32. The Future: With every present technology that is bound together, they are developed into other technologies that are even greater for the future use of both businesses and consumers alike. combination weigher

  33. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Vancouver SEO Company

  34. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! what is iptv

  35. Great knowledge, do anyone mind merely reference back to it SEO Company Vancouver

  36. Leader in developing embedded system projects, providing Engineering and SCADA solutions using Raspberry pi, Arduino and more.... virtual world

  37. This comment has been removed by the author.

  38. Lockout emergency locksmith are never a good experience. If you simply feel it's an emergency because you would like to put your pants back on, then a locksmith is your best bet. click here

  39. In spite of the fact that, this isn't viewed as in the expert limit level, (on the grounds that a solitary public administering body doesn't exist for this activity) various societies exist that help the exchange and offer instructional classes, and ability upgrade. key duplication near me

  40. Mmm.. good to be here in your article or post, whatever, I think I should also work hard for my own website like I see some good and updated working in your site. consulenza web marketing milano

  41. We have sell some products of different custom is very useful and very low price please visits this site thanks and please share this post with your friends. Europa-Road nemzetközi szállítmányozás Szeged

  42. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. Love Ring Vibrators

  43. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info.

  44. Sunny Leone Actress Biography – Age, Height, Weight, Body Measurements & More. 17 hours ago Celebrities · sunny leone biodata. Sunny Leone is a famous name in India, if you are fan of Hindi movies or porn lover then you ... Read More ». Sunny Leone Actress Biography

  45. How responsive are they to offering a quote and answering your questions? If they are tough to reach or slow to respond now, it will only get worse in the future.
    asking how build changes are handled

  46. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful. Albert Einstein Quotes

  47. It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! Albert Einstein

  48. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. Albert Einstein

  49. if you locked out of your home in Dubai and there is no key to open the door then you can call the Locksmith in Dubai

  50. With so much overstated negative criticism of the corporate culture in the media, it is indeed bracing to have an upbeat, positive report on the good things that are happening. Wish to read some more from you!

    SAP training in Kolkata
    SAP training Kolkata
    Best SAP training in Kolkata
    SAP course in Kolkata

  51. Regardless of whether the deals for the business don't build, each deal that occurs through Bitcoin implies less cash is lost because of charges and extortion. bitcoin mixer

  52. Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. Europa-Road Kft.

  53. It should be noted that whilst ordering papers for sale at paper writing service, you can get unkind attitude. In case you feel that the bureau is trying to cheat you, don't buy term paper from it.

  54. Paid users are offered new episodes just a few hours after airing in Japan, where free users will have to wait a week after to catch up. A bonus with streaming services like Crunchyroll is that the majority of shows offered are subtitled only, where there are a growing number of general streaming sites, such as Hulu, offering both subs and dubs 9 anime

  55. Likewise, they are solid and steady to arrive at hard-to-get to territories drywall contractors near me

  56. The biometric entryway lock is a locking framework that fuses biometrics, or the acknowledgment of interesting human attributes, to give access. buy biometric doot lock online

  57. Your content is nothing short of brilliant in many ways. I think this is engaging and eye-opening material. Thank you so much for caring about your content and your readers. nehézgép szállítás Europa-Road Kft

  58. Really appreciate this wonderful post that you have provided for us.Great site and a great topic as well i really get amazed to read this. Its really good. Top stocks


Amazon EKS - Kubernetes on AWS

By Komal Devgaonkar Amazon Elastic Container Service for Kubernetes (Amazon EKS), which is highly available and scalable AWS service....