How to get a secret into a pytest test?

Question

Say I have a pytest module with some test functions. In order to run the tests, the test functions need to have a Personal Access Token. I want to run these tests in a CI process in Azure DevOps. I can store the PAT as a secret variable in the Pipeline defintion, but the question is, how do I pass this secret to the test functions when running pytest?

EDIT

I can read this from a file, and in the pipeline before running pytest I can format this file, but I don't like this approach so much.

Any suggestions?

Answer 1

I assume you have a pipeline but here's how you could do it.

First create your secrets in your desired key vault. I have created an app using Python and the Azure sdk which lets you create multiple secrets in a key vault very easily - https://github.com/TechyTish/AzurePy/blob/main/create-azure-secrets-README.md

lets say your secrets are stored as (secretName: secretValue):

• example1: 1234
• example2: hello567

... etc

#filename: example.json

    "SOME_KEY_NAME1": "{#exampleOne#}",
    "SOME_KEY_NAME2": "{#exampleTwo#}",

Create a YAML pipeline which will have 2 tasks:

1. Extract keyvault secrets
2. Replace the .json key values with the secrets

#filename: azure-pipeline.yml

# Azure Key Vault
# Download Azure Key Vault secrets
- task: AzureKeyVault@2
  inputs:
    connectedServiceName: # Azure subscription - you will need to create an service connection in the repo which has access policies to the keyvault
    keyVaultName: # Name of existing key vault
    secretsFilter: '*' # Downloads all secrets for the key vault
    runAsPreJob: true # Runs before the job starts

Underneath the previous task add another one. This looks for any key value with the {# pre-fix and #} suffix in the .json file and the variables (below) after this task will replace the value in the .json file with the value of the secrets you assigned it.

#filename: azure-pipeline.yml

- task: qetza.replacetokens.replacetokens-task.replacetokens@3
  inputs:
    targetFiles: "$(Pipeline.Workspace)/codepath/jsonFileName.json"
    encoding: "auto"
        writeBOM: true
        verbosity: "detailed"
        actionOnMissing: "warn"
        keepToken: false
        tokenPrefix: "{#"
        tokenSuffix: "#}"
      displayName: Perform variable substitution in json file
- script: echo "$(<folderName/example.json)" #open json file in the terminal to show the changes

#.json value: point to secret name
variables:
  exampleOne: $(example1)
  exampleTwo: $(example2)
#....
#etc

Run the pipeline (tick the box for debugging) and your output of .json file should be:

#filename: example.json

    "SOME_KEY_NAME1": "1234",
    "SOME_KEY_NAME2": "hello567"
#....
#etc

This way the only time your secrets are revealed is when the pipeline is run on whichever host agent (virtual machine) you use.