Updating Azure DevOps Library insert Key Vault Variable with Azure DevOps API

Question

I'm using the Azure DevOps API for maintaining the variable inside the library of Azure DevOps. For the secret and non secret variables I can use the Azure DevOps REST API to perform the standard maintenance actions (Get/Insert/Update/Delete).

But now i've added a library where i make use of the secrets from Azure Key Vault. Picture of Library configuration 1

With this configured it is possible to retrieve the normal variables as well as the variable linked with secret server. I use the following call: https://dev.azure.com/{organisation}/{account}/_apis/distributedtask/variablegroups/10?api-version=5.1-preview.1

But when i want to update the variables with secrets from Azure KeyVault that is not possible. I se use the POST action with URI: https://dev.azure.com/{organisation}/{account}/_apis/distributedtask/variablegroups/10?api-version=5.1-preview.1

with the following json:

{
  "count":1,
  "value":[
    {
      "variables":{
        "dummy":{
          "enabled":true,
          "contentType":"",
          "value":null,
          "isSecret":true
        },
        "AKV-Test":{
          "enabled":true,
          "contentType":"",
          "value":null,
          "isSecret":true
        }
      },
      "id":10,
      "type":"AzureKeyVault",
      "name":"{libraryname}",
      "description":"",
      "providerData":{
        "serviceEndpointId":"{endpoint}",
        "vault":"{keyvault}",
        "lastRefreshedOn":"2022-03-16T08:38:18.201Z"
      },
      "createdBy":{
        "displayName":"{displayName}",
        "id":"{id}",
        "uniqueName":"{uniqueName}"
      },
      "createdOn":"2021-12-10T06:52:53.0666667Z",
      "modifiedBy":{
        "displayName":"{displayName}",
        "id":"{id}",
        "uniqueName":"{uniqueName}"
      },
      "modifiedOn":"2022-03-16T14:37:05.8866667Z",
      "isShared":false,
      "variableGroupProjectReferences":null
    }]
}

The Key Vault is connected because inside this library I can manually add the Secret and save the library. But when i perform the same action with the REST Api i get the following error:

 {
    "$id": "1",
    "innerException": null,
    "message": "Value cannot be null.\r\nParameter name: group.Name",
    "typeName": "System.ArgumentNullException, mscorlib",
    "typeKey": "ArgumentNullException",
    "errorCode": 0,
    "eventId": 0
    }

Does anybody has an idea what i'm doing wrong or is the expected solution with the REST Api not possible?

Answer 1

As a workaround, you can use Powershell for builds. You can create a service connection from your project to Azure Subscription and then use this task:

pool:
  name: Azure Pipelines
steps:
- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: InlineScript'
  inputs:
    azureSubscription: '<SUBSCRIPTION_CONNECTION_NAME>'
    ScriptType: InlineScript
    Inline: |
     # You can write your azure powershell scripts inline here. 
     # You can also pass predefined and custom variables to this script using arguments
     
     $secretvalue = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
     $secret = Set-AzKeyVaultSecret -VaultName "<AKV_NAME>" -Name "<SECRETE_NAME>" -SecretValue $secretvalue
    azurePowerShellVersion: LatestVersion

Check this link: Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell