Possible to populate Azure DevOps Pipeline variable with password from CyberArk

Is it possible to use CyberArk/Conjur so that my Azure pipeline variables are populate with the username and password stored in CyberArk. Sorry if this is a newbie question. I am just now beginning to research using CyberArk with ADO pipelines. I have certain tasks that run in my pipelines that need elevated permissions to run so wondering if instead of having the password stored under the variables section to instead retrieve it and populate the variable via CyberArk.

You can certainly connect to Conjur in an Azure DevOps pipeline using a shell script, either using API key authentication, or using the Azure authenticator if you create an Azure Application Identity for your pipeline, which would have the advantage of not requiring you to store any secrets in your pipeline for the purposes of authenticating to Conjur, since you can use the Azure provided token to authenticate to Conjur.

I was more interested in using the CyberArk Conjur Service Connector from the Azure Marketplace. If I have a password variable in my pipelines can this populate this variable so that I am able to run tasks that require a server login?


Yes, that is our integration with Azure DevOps that allows you to provide secrets from Conjur directly to Pipelines running in Azure DevOps. It utilizes a Service Connection in order to authenticate to Conjur and then provides the secret values you provide as environment variables the Pipeline can access secrets from.

You can find more details on how to configure it at GitHub - cyberark/conjur-azure-devops-extension: Azure DevOps Extension for retrieving secrets from CyberArk Conjur.