Deploy: Azure Key Vault

Last Update: 7/18/2017


icon This task is used to download secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords from an Azure Key Vault instance. The task can be used to fetch the latest values of all or a subset of secrets from the vault, and set them as variables that can be used in subsequent tasks of a definition. The task is Node-based, and works with Xplat agents (Windows, Linux, or OSX).

Pre-requisites for the task

The task has the following pre-requisites:

You can create a key vault:

Add secrets to a key vault:

  • By using the PowerShell cmdlet Set-AzureKeyVaultSecret. If the secret does not exist, this cmdlet creates it. If the secret already exists, this cmdlet creates a new version of that secret.

  • By using the Azure CLI. To add a secret to a key vault, for example a secret named SQLPassword with the value Pa$$w0rd, type:

    az keyvault secret set --vault-name 'ContosoKeyVault' --name 'SQLPassword' --value 'Pa$$w0rd'

When you want to access secrets:

  • Ensure the Azure endpoint has at least Get and List permissions on the vault. You can set these permissions in the Azure portal:

    • Open the Settings blade for the vault, choose Access policies, then Add new.

    • In the Add access policy blade, choose Select principal and select the service principal for your client account.

    • In the Add access policy blade, choose Secret permissions and ensure that Get and List are checked (ticked).

    • Choose OK to save the changes.

Parameters of the task:

Parameter Description
Azure Subscription Required. Select the service connection for the Azure subscription containing the Azure Key Vault instance, or create a new connection. Learn more
Key Vault Required. Select the name of the Azure Key Vault from which the secrets will be downloaded.
Secrets filter Required. A comma-separated list of secret names to be downloaded. Use the default value * to download all the secrets from the vault.


Values are retrieved as strings. For example, if there is a secret named connectionString, a task variable connectionString is created with the latest value of the respective secret fetched from Azure key vault. This variable is then available in subsequent tasks.

If the value fetched from the vault is a certificate (for example, a PFX file), the task variable will contain the contents of the PFX in string format. You can use the following PowerShell code to retrieve the PFX file from the task variable:

$kvSecretBytes = [System.Convert]::FromBase64String($(PfxSecret))
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

If the certificate file will be stored locally on the machine, it is good practice to encrypt it with a password:

 #Get the file created
$password = 'your password'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

For more details, see Get started with Azure Key Vault certificates.

Contact Information

Contact if you discover issues using the task, to share feedback about the task, or to suggest new features that you would like to see.


Do I need an agent?

You need at least one agent to run your build or release. Get an agent.

I can't select a default agent queue and I can't queue my build or release. How do I fix this?

See queues.

I use Team Foundation Server on-premises and I don't see some of these features. Why not?

Some of these features are available only on Visual Studio Team Services and not yet available on-premises. Some features are available on-premises if you have upgraded to the latest version of TFS.

Help and support