Accessing secrets from a pipeline is for some reason woefully under-documented. It is possible to access secrets very dynamically (including inserts) using this library: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets.

Here is a good video of the correct approach, (however this video stops short of actual pipeline use): https://www.youtube.com/watch?v=lGMIuIf3psA

Before or after watching the video, understand these things:

• Microsoft considers a Key Vault an “App."
• In order for everyone to access the app, it is necessary to do an “App Registration” in Microsoft Entra (Active Directory).
• Entra provides a security gateway to your app.
• Another key is that Azure considers a pipeline to be a “3rd party app.”
• This is confusing because MS does NOT consider Visual Studio to be a third party app.
• This is why we can execute VS tests locally, but we cannot just push the same code to a pipeline and have it work.
• An App Registration I have found is the most robust way to make this work, but there may be other ways such as a managed identity or getting the environment variables in a VM.

Here are some links demonstrating App registrations:

• https://doc.primekey.com/signserver-cloud/signserver-cloud-azure/azure-key-vault-integration-guide/creating-an-app-registration-in-active-directory
• https://medium.com/@srijaanaparthy/azure-app-registration-azure-cloud-made-easy-ba44a6ea8953#:~:text=Azure%20App%20Registration%20is%20the,services%20more%20secure%20and%20accessible.
• https://petri.com/understanding-azure-app-registrations/#:~:text=Conclusion,your%20organization%20defines%20as%20needed!- https://www.linkedin.com/learning/microsoft-entra-id-for-dot-net-developers-2023

Step 1: Register an Application in Azure AD a.Navigate to Azure Active Directory: ·Go to the Azure portal (https://portal.azure.com). ·Navigate to Microsoft Entra ID b.Register a New Application: ·In the Azure AD menu, select App registrations. ·Click New registration. From the “Overview” menu item, click the “Add” button. This will give you a menu item called “Add Registration.” ·Enter a name for the application (e.g., KeyVaultAccessApp). ·Click Register. 4.Get the Application (Client) ID: ·After registration, you will be redirected to the application's overview page. ·Copy the Application (client) ID. This is your AZURE_CLIENT_ID.

Step 2: Create a Client Secret 5.Create a Client Secret: ·In the application's menu, select Certificates & secrets. ·Under Client secrets, click New client secret. ·Add a description and set an expiration period. ·Click Add. ·Copy the value of the client secret. This is your AZURE_CLIENT_SECRET.

Step 3: Get the Tenant ID 6.Get the Directory (Tenant) ID: ·In the Azure portal, navigate back to Azure Active Directory. Microsoft Entra ·Copy the Directory (tenant) ID from the Azure AD overview page. This is your AZURE_TENANT_ID.

Step 4: Assign Permissions to the Application

7.Assign Key Vault Access Policies: ly think which allows an active “Access Policies” tab. ·Navigate to your Key Vault in the Azure portal. ·In the Key Vault menu, select Access policies. ·Click Add Access Policy. ·Configure the permissions (e.g., Get, List for secrets). ·Under Select principal, search for and select the application you registered. ·Click Add and then Save.

Step 5: Configure Azure DevOps Pipeline 8.Set Environment Variables in Azure DevOps: ·Go to your Azure DevOps project. ·Navigate to Pipelines > Library. ·Click + Variable group. ·Add variables AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET with their respective values.

I realize this answer is not long enough. To document it for my team I had to use 10 screenshots.