Use Azure Key Vault secrets in GitLab CI/CD

Introduced in GitLab and GitLab Runner 16.3.

You can use secrets stored in the Azure Key Vault in your GitLab CI/CD pipelines.

Prerequisites:

Use Azure Key Vault secrets in a CI/CD job

You can use a secret stored in your Azure Key Vault in a job by defining it with the azure_key_vault keyword:

job:
  id_tokens:
    AZURE_JWT:
      aud: 'azure'
  secrets:
    DATABASE_PASSWORD:
      token: AZURE_JWT
      azure_key_vault:
        name: 'test'
        version: 'test'

In this example:

  • name is the name of the secret.
  • version is the version of the secret.
  • GitLab fetches the secret from Azure Key Vault and stores the value in a temporary file. The path to this file is stored in a DATABASE_PASSWORD CI/CD variable, similar to file type CI/CD variables.