Fortanix DSM with Azure DevOps

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Azure DevOps to securely access secrets within Azure DevOps pipelines.

Azure DevOps is an end-to-end development platform that helps organize and accelerate software delivery across the application lifecycle. To securely manage secrets in Azure DevOps pipelines, a reliable secret management solution is required.

2.0 Prerequisites

Before proceeding with the integration, ensure the following prerequisites are met:

• An Azure DevOps organization should be configured as explained in the Azure DevOps official documentation.

• Fortanix DSM must be accessible. For more information, refer to Section 5.1: Signing Up and Section 5.2: Creating an Account.

• The secrets should be stored in the Fortanix DSM account.

3.0 Product Tested Version

The following product versions were tested:

• Fortanix DSM version 5.6.2930 or later.

• Node.js version 20 or later.

• Azure Pipelines version 2.2.8

• TypeScript version 5.9.3

• @types/node version 25.4.0

• tfx CLI version 0.23.1

4.0 Architecture Diagram

Users initiate Azure DevOps pipelines to execute automated workflows. During pipeline execution, the pipeline retrieves a Fortanix API key from an environment variable, which is stored as a secret to authenticate securely.

Using this API key, the pipeline communicates with Fortanix DSM to fetch the required secret. The retrieved secret is used within the pipeline runtime and can be consumed by Azure applications, ensuring secure access and management of sensitive data throughout the workflow.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io. On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed here based on the application region.

For more information on how to set up the Fortanix DSM, refer to Sign Up for Fortanix Data Security Manager SaaS.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to Getting Started with Fortanix DSM - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click ADD GROUP to create a new group.

   

2. On the Adding new group page:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click ADD APP to create a new app.

   

2. On the Adding new app page:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to retrieve the Azure DevOps secret as described in Section 6.5: Configure and Test the Extension in Pipelines.

5.6 Importing a Security Object

Perform the following steps to import security objects in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click ADD SECURITY OBJECT to create a new security object.

   

2. On the Add new Security Object page:

   1. Security Object Name: Enter a name for your security object.

   2. Group: Select the group as created in Section 5.3: Creating a Group.

   3. Select IMPORT.

   4. In the Choose a type section, select the Secret key type.

   5. In the Place value here or import from file section, select the value format type as Text only and enter the object value (For example, ADO-object).

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying, except EXPORT.

3. Click IMPORT to create the new security object.

6.0 Integration Steps

Refer to the following video for end-to-end integration of Fortanix DSM with Azure DevOps:

The integration steps are also explained in the following sections:

6.1 Create a Publisher in Azure DevOps

To publish the Fortanix extension, first create a publisher in Azure DevOps.

Perform the following steps:

1. Navigate to Azure DevOps Organizations.

2. Select your organization.

3. Navigate to organization Settings.

4. Select Extensions → Browse Marketplace.

5. Click Publish Extensions → Create Publisher.

6. Enter the required publisher details and create the publisher.

6.2 Build the Fortanix Secret Management Extension

6.2.1 Prerequisites

The following are the prerequisites to configure the Fortanix Secret Management extension:

• An Azure DevOps Publisher account to publish the Fortanix Secret Management extension.

• Access to the Fortanix Secret Management extension source code repository to build the package.

• An Azure DevOps project to run pipelines.

6.2.2 Build and Use the Extension

Perform the following steps to build and use a custom extension in Azure DevOps that fetches secrets:

1. Install Node.js version 20 or later.

2. Clone the GitHub project.

   

3. In the manifest.env file, configure only the ID and PUBLISHER_ID attributes. All other attributes are preconfigured and must not be changed.

   • MANIFEST_VERSION: Specifies the version of the manifest.

   • ID: Specifies the Unique identifier(UUID) for the extension. For example, d9f8b8c2-1b48-4e5c-b0f5-41f2e7cf88a5.

   • EXTENSION_NAME: Specifies the name of the extension that is presented while installing this extension.

   • PUBLISHER_ID: Specifies the Azure DevOps publisher ID.

   • TASK_NAME: Specifies the name of the task that is presented in the Azure pipelines.

   • VERSION: Specifies the version of the extension.

   • AUTHOR: Specifies the name of the extension author.

4. Run the build script (build.sh) file. This generates the following files:

   • Fortanix-Secret-Management/task.json

   • Fortanix-Secret-Management/package.json

   • Fortanix-Secret-Management/node_modules

   • vss-extension.json

   • node_modules

   After the build completes, the script deletes all the newly generated files and retains only the extension package.

5. Locate the generated extension package in the same directory as <PUBLISHER_ID>.<EXTENSION_NAME>-<VERSION>.vslx .

   For example, Fortanix-ADO.Secret-Management-1.0.0.vslx.

6.3 Upload and Share the Extension

Perform the following steps:

1. Navigate to the Azure DevOps Organization Publisher page.

2. Select the Publisher.

3. Click New extension → Upload new extension → Upload Visual Studio Code extension.

4. Upload the .vsix file generated in Section 6.2.2: Build and Use the Extension.

5. After uploading, select the extension.

6. Click the overflow menu for the extension and click Share/Unshare.

7. Enter the organization name and press the Enter key.

6.4 Install the Extension

Perform the following steps to install the extension:

1. Navigate to your Azure DevOps Organization.

2. Navigate to Organization Settings → Extensions → Shared extensions.

3. Locate the uploaded Fortanix extension.

4. Click Install.

6.5 Configure and Test the Extension in Pipelines

Perform the following steps:

1. Navigate to your Azure DevOps organization. (https://dev.azure.com/<organization_name>).

2. Select Projects tab, and then click + New project.

3. Enter the project details and create the project.

4. Navigate to Pipelines and click Create Pipeline to add a new pipeline.

5. Configure your repository to store the pipeline YAML file.

6. Export the following Environment Variables:

   • FORTANIX_API_ENDPOINT (For example, amer.smartkey.io)

   • FORTANIX_API_KEY (Fortanix application API Key as obtained in Section 5.5: Copying the API Key.)

   Ensure that the Keep the value secret check box is enabled.

7. Configure Fortanix-Secret-Management Task:

   1. In the pipeline editor, navigate to Tasks (under the Review tab).

   2. Search for Fortanix.

   3. Select Fortanix-Secret-Management task.

   4. Enter the following values and click Add.

      • FORTANIX_API_ENDPOINT: Obtain it from the environment variable$(FORTANIX_API_ENDPOINT).

      • FORTANIX_API_KEY: Obtain it from the environment variable $(FORTANIX_API_KEY).

      • FORTANIX_SECURITY_OBJECT_NAME: Specifies the name of the security object generated in Section 5.6: Importing a Security Object.

      • FORTANIX_SECURITY_OBJECT: Exports the security object to this variable as a secret.

   5. Click Save and run to run the pipeline.