DEMO: Replacing App Settings with Secrets in a Release Pipeline
Start course
1h 14m

Configuration is an important aspect of determining an application’s behavior. Settings files often include sensitive information like passwords and API keys. In this course, we will look at how to protect that sensitive information while the app is being developed and when it is in production.

Azure’s App Configuration Service allows you to manage access to settings data and we will see how to use it within a .Net application. We will look at using Azure Key Vault in conjunction with App Configuration Service, and how to access Azure Key Vault directly from your application and from apps running in a container within a Kubernetes cluster.

Next, we look at the idea of shifting left security testing within your development process, and how we can automate security testing as part of implementing a compliant development process. Much of this will involve using extensions from the Azure marketplace within your DevOps build pipeline.

This course contains numerous demonstrations from the Azure platform so that you can get a first-hand look at the topics we will be covering. If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Learn about app configuration
  • Run and deploy apps with the Azure App Configuration service
  • Use Azure Key Vault to store secrets and certificates
  • Access Key Vault directly from your apps, including those running within a Kubernetes cluster
  • Create a compliant development process by integrating code analyzers, branch policies, quality gates, open-source library scanning, and automated penetration into a build pipeline

Intended Audience

  • Intermediate-level developers, DevOps engineers, and product managers
  • Anyone interested in learning how to implement secure app configurations and development pipelines


To get the most out of this course, you should have some pre-existing knowledge of software development and of using Microsoft Azure.


Now I want to look at substituting secrets for settings within your app settings JSON file. What I'm going to do is replace the settings DB password and super secret as well as background color from within the settings group. I'll just commit those changes I've made to the code and push them up to my repo. Now I'll go over to the portal and I will create the secrets that are going to take the place of my settings. So the background is going to be red and the DB password is going to be my secret production database password, and finally, just a super secret.

Okay, having created my Key Vault secrets, now I'm going to create a release pipeline. So back in Azure DevOps under pipelines and releases, I'll create a new pipeline. A run of the mill app service deployment task will do the trick. I'll use the how pipeline service connection that I've created for this project. The app is being deployed to Linux App Service, and because of the resource group associated with the service connection, my app appears in the dropdown. Let's save that.

Next I need to access my secrets. Just go back to the service connection and click on service principle. It's gonna take me back to Azure portal and I'll grab the name of the service principle. Then go to the Key Vault and into access policies and add a new access policy. This will allow my release pipeline to be able to access the secrets so I'll just select a list and get permissions on the secrets dropdown, paste in the service principle name and select not forgetting to save the access policy.

Okay, back at Azure DevOps, I'm gonna go and create a variable group under library for grabbing the secrets from the Key Vault. I'll give it an interesting name, like Key Vault secrets. Leave allow access to all pipelines and turn on link secrets from an Azure Key Vault as variables. Next, click, the add button and select our service connection followed by the Key Vault name and hit add variables. I'm just going to select all the variables and click OK. Now save secrets in the library.

Next thing I have to do is add the variables, the Key Vault secret variables to my pipeline variables. Just go to variable groups and link variable group and select Key Vault secrets and there we have them. Back at the deploy task, I will set up my runtime stack now going to application and configurations settings and this is where you map your secret variables to your app settings. I'm just going to paste ones I prepared earlier, but if we hit the edit button, we can go in and see them all laid out.

I'm going to get rid of the background color because I've already got it as settings background color. Now save that. The next thing I need to do is add a file transform task. This will allow me to access settings within my appsettings.json file. The file transform functionality used to reside inside the app deploy task. I just select the file format to JSON and add app sittings as my target file. The most important thing is I need code to deploy. So I need to add my build artifact and I can just select all of that from the dropdown list and click add.

There's one more thing I need to do, which is a little bit redundant in my opinion, but completely necessary is add another variable. Now this variable is going to met to my nested settings background color in app settings JSON. So I need to specify the variable name as the full path, and I'll just set the value as the automatically created variable that is getting populated from my Key Vault. So once again, I need to go into variables, into variable groups and link to that new group I've just created. And we can see the background color of the Key Vault variable matches the value of the app settings variable.

Now I can create the release. I'll just fast forward through the running pipeline. Right just to refresh our memories, here we've got the local host version with the blue and the Dev password. Now I'll going to the deployed app service, we can see that our background has become red and we're showing the production password and the very secret Key Vault secret. There is another way to achieve the same result by using the Azure Key Vault task. So here I've added the Azure Key Vault task and connected to my subscription in Key Vault.

Over in the library, you can see that I've removed all the variable groups. And if I go back to the pipeline and have a look at my variables, you can see they're all unlinked. And I've just got one variable, which is the one I need for mapping to my app settings background. So here is what the Key Vault task looks like in YAML script. Now back over to the Azure vault and I'll set up a new version of my background color, which I have set to dark orchid. So now I'll just go and refresh the page and we can see that that also works using the Azure Key Vault task.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.