Set Container Instance Environment Variables & Secrets with Azure DevOps Pipelines and Azure Key Vaults

First, Unfortunately Azure Container Instance doesn’t support the Key Vault reference configuration.

If you are running Asp.Net application or use other technology which can read configuration from Key Vault with the Azure SDK and Managed Identity Authentication, then it is not a big problem for you.

But how about older techs?

Then you only have a deployment time configuration option. So, in this case you must inject your configuration when you are deploying or updating the Container Instance.

With CLI you have these two options

— environment-variables
— secure-environment-variables

How to do this in Azure DevOps

Create Key Vault linked Variable group

In Azure DevOps Pipeline you can define a Variables Group library which is linked to Key Vault Secrets.

Pipelines-> Library -> Add Variable group -> Link secrets from Azure key vaults as variables

Variable groups for Azure Pipelines and TFS — Azure Pipelines | Microsoft Docs

After you linked and authorized the Key Vault you can add the secrets reference. You just choose from existing secrets. Only the linked secrets will be available in the group.

The key vaults secret name and the variable name in the group will be the same.

YAML Pipeline

You have to reference your variable group to use in the YAML Pipeline.

In the variables section you can add group.

variables:
- group: test-keyvault

In the YAML Pipeline you will have Azure CLI task

- task: AzureCLI@2
displayName: ‘Deploy jobs’
inputs:
azureSubscription: ‘Your Azure service connection’
scriptType: ‘bash’
scriptLocation: ‘inlineScript’
inlineScript: |
az container create \

With the Azure CLI command you can deploy your Container Instance

az container create

you can use variables from the Pipeline variables groups (linked to Azure Key Vault) like this:

— environment-variables \
ENVIRONMENT=development \
DATABASE_HOST=”$(database-host)” \
— secure-environment-variables \
DATABASE_USER=”$(database-user-name)” \
DATABASE_PASSWORD=”$(database-user-pass)” \

That’s it!

These secrets only refresh when you redeploy your Containers Instance, but you can keep your secrets in a safe place in Azure Key Vault.