Dynamicallly get KeyVault secret in Azure DevOps Powershell script

Question

We have an Azure Key Vault task in our release pipeline which downloads some secrets for use in the stage.

In an Inline Azure PowerShell script you can just use the following to get the secret value:

$secretValue = $(nameOfTheSecretInKeyVault)

This works fine.

However we want to move to using scripts in the repo, i.e. poiting the DevOps task to a file path i.e. /somePath/myScript.ps1

So I would need to parameterise the above line of code, as I cannot just change the name in the inline script like I'm currently doing, but I can't get it to work.

I have tried:

$compositeName = "${someParameter}-Application"
$secretValue1 = $($compositeName)
$secretValue2 = $("${compositeName}")
$secretValue3 = env:$compositeName
$secretValue4 = $(${compositeName})

The top line is just building up the name of the secret which it needs to look for. Unfortunately none of these work. Attempt #1, #2 and #4 come back with the string name only, not having actually got the secret value, and #3 errors saying it doesn't exist.

Is there a way to achieve this, or do I simply need to parameterise the secret and pass it into the script from the ADO task?

Answer 1

As you, I couldn't figure out a way to access the variables the log mentions are loaded in the Download secrets task of the job. It did work in inline mode, but not a chance with a script file.

So instead I leveraged the existing wiring (variable group linked to my KeyVault) and just run the command myself at the start of my script:

$mySecretValue = (Get-AzKeyVaultSecret -VaultName "myVault" -Name "mySecret").SecretValueText

From there I could use it as any other variable.