|
| 1 | +--- |
| 2 | +title: Use key vault secrets in customization files |
| 3 | +description: Learn how to use Azure Key Vault secrets in team and individual customization files to clone private repositories. |
| 4 | +author: RoseHJM |
| 5 | +ms.author: rosemalcolm |
| 6 | +ms.service: dev-box |
| 7 | +ms.custom: |
| 8 | + - ignite-2024 |
| 9 | +ms.topic: how-to |
| 10 | +ms.date: 04/20/2025 |
| 11 | + |
| 12 | +#customer intent: As a Dev Center Admin or Project Admin, I want to create image definition files so that my development teams can create customized dev boxes. |
| 13 | +--- |
| 14 | + |
| 15 | +# Clone a private repository by using a customization file |
| 16 | + |
| 17 | +You can use secrets from your Azure key vault in your YAML customizations to clone private repositories, or with any custom task you author that requires an access token. In a team customization file, you can use a personal access token (PAT) stored in a key vault to access a private repository. |
| 18 | + |
| 19 | +## Use key vault secrets in team customization files |
| 20 | + |
| 21 | +To clone a private repository, store your PAT as a key vault secret. See [Grant the managed identity access to the key vault secret](../deployment-environments/how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret), and use it when you invoke the `git-clone` task in your customization. |
| 22 | + |
| 23 | +To configure your key vault secrets for use in your YAML customizations: |
| 24 | + |
| 25 | +1. Ensure that your dev center project's managed identity has the Key Vault Reader role and the Key Vault Secrets User role on your key vault. |
| 26 | +2. Grant the Key Vault Secrets User role for the key vault secret to each user or user group that should be able to consume the secret during the customization of a dev box. The user or group granted the role must include the managed identity for the dev center, the admin's user account, and any user or group that needs the secret during dev box customization. |
| 27 | + |
| 28 | +For more information, see: |
| 29 | + |
| 30 | +- [Configure a managed identity for a dev center](../deployment-environments/how-to-configure-managed-identity.md#configure-a-managed-identity-for-a-dev-center) |
| 31 | +- [Grant the managed identity access to the key vault secret](../deployment-environments/how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) |
| 32 | + |
| 33 | +You can reference the secret in your YAML customization in the following format, which uses the `git-clone` task as an example: |
| 34 | + |
| 35 | +```yml |
| 36 | +$schema: "1.0" |
| 37 | +tasks: |
| 38 | + - name: git-clone |
| 39 | + description: Clone this repository into C:\Workspaces |
| 40 | + parameters: |
| 41 | + repositoryUrl: https://myazdo.visualstudio.com/MyProject/_git/myrepo |
| 42 | + directory: C:\Workspaces |
| 43 | + pat: '{{KEY_VAULT_SECRET_URI}}' |
| 44 | +``` |
| 45 | +
|
| 46 | +## Use key vault secrets in individual customization files |
| 47 | +
|
| 48 | +To clone a private Azure Repos repository from an individual customization file, you don't need to configure a secret in Azure Key Vault. If you want to clone a private Azure Repos repository from an individual customization file, you don't need to configure a secret in Azure Key Vault. Instead, you can use `{{ado}}` or `{{ado://your-ado-organization-name}}` as a parameter. This parameter fetches an access token on your behalf when you're creating a dev box. The access token has read-only permission to your repository. |
| 49 | + |
| 50 | +The `git-clone` task in the quickstart catalog uses the access token to clone your repository. Here's an example: |
| 51 | + |
| 52 | +```yml |
| 53 | +tasks: |
| 54 | + - name: git-clone |
| 55 | + description: Clone this repository into C:\Workspaces |
| 56 | + parameters: |
| 57 | + repositoryUrl: https://myazdo.visualstudio.com/MyProject/_git/myrepo |
| 58 | + directory: C:\Workspaces |
| 59 | + pat: '{{ado://YOUR_ADO_ORG}}' |
| 60 | +``` |
| 61 | + |
| 62 | +The dev center needs access to your key vault. Dev centers don't support service tags, so if your key vault is private, allow trusted Microsoft services to bypass the firewall. |
| 63 | + |
| 64 | +Dev centers don't support service tags, so if the key vault is private, allow trusted Microsoft services to bypass the firewall. |
| 65 | + |
| 66 | +:::image type="content" source="media/how-to-use-secrets-customization-files/trusted-services-bypass-firewall.png" alt-text="Screenshot that shows the option to allow trusted Microsoft services to bypass the firewall in Azure Key Vault settings." lightbox="media/how-to-use-secrets-customization-files/trusted-services-bypass-firewall.png"::: |
| 67 | + |
| 68 | +To learn how to allow trusted Microsoft services to bypass the firewall, see [Configure Azure Key Vault networking settings](/azure/key-vault/general/how-to-azure-key-vault-network-security). |
| 69 | + |
| 70 | +## Share a customization file from a code repository |
| 71 | + |
| 72 | +Make the customization file available to dev box pools by naming it *imagedefinition.yaml* and uploading it to the repository that hosts the catalog. When you create a dev box pool, you can select the customization file from the catalog to apply to the dev boxes in the pool. |
| 73 | + |
| 74 | +## Related content |
| 75 | + |
| 76 | +- [Microsoft Dev Box team customizations](concept-what-are-team-customizations.md) |
| 77 | +- [Configure imaging for Dev Box team customizations](how-to-configure-customization-imaging.md) |
| 78 | +- [Add and configure a catalog from GitHub or Azure Repos](../deployment-environments/how-to-configure-catalog.md) |
0 commit comments