| title | Store secrets in a key vault | |||
|---|---|---|---|---|
| description | Learn how to store secrets in an Azure Key Vault and use them while creating a VM, formula, or an environment. | |||
| ms.topic | how-to | |||
| ms.author | rosemalcolm | |||
| author | RoseHJM | |||
| ms.date | 06/26/2020 | |||
| ms.custom |
|
You might need to enter a complex secret when you use Azure DevTest Labs. Secrets include passwords for your Windows VMs, public SSH keys for your Linux VMs, or personal access token to clone your Git repo through an artifact. Secrets are often long and have random characters. Entering them can be tricky and inconvenient, especially if you use the same secret multiple times.
To solve this problem and keep your secrets in a safe place, DevTest Labs supports storing secrets in an Azure Key Vault. The first time a user saves a secret, DevTest Labs automatically creates a key vault in the same resource group as the lab, and stores the secret. DevTest Labs creates a separate key vault for each user.
Lab users need to create a lab virtual machine before they can create a secret in the key vault. This requirement is because DevTest Labs must associate lab users with valid user documents. DevTest Labs then allows users to create and store secrets in their key vaults.
To save your secret in Azure Key Vault, do the following steps:
- Select My secrets on the left menu.
- Enter a name for the secret. You see this name in the drop-down list when creating a VM, formula, or an environment.
- Enter the secret as the value.
:::image type="content" source="media/devtest-lab-store-secrets-in-key-vault/store-secret.png" alt-text="Screenshot of storing a secret.":::
When you enter a secret to create a VM, formula, or environment, you can enter the secret manually or select a saved secret from the key vault. To use a secret stored in your key vault, do the following actions:
- Select Use a saved secret.
- Select your secret from the drop-down list for Pick a secret.
:::image type="content" source="media/devtest-lab-store-secrets-in-key-vault/secret-store-pick-a-secret.png" alt-text="Screenshot of using a secret in VM creation.":::
You can specify your secret name in an Azure Resource Manager template that's used to create a VM as shown in the following example:
:::image type="content" source="media/devtest-lab-store-secrets-in-key-vault/secret-store-arm-template.png" alt-text="Screenshot of using a secret in a formula or environment.":::