0 trust

By design, Blue Agent must be able to use a token to register itself to the Azure DevOps server. Centrally manage the tokens storage, their lifecycle and their access greatly improve operational security.

Kubernetes (Helm)

Azure Kubernetes Service

Azure Kubernetes Service implements Pod Identity, which allows to use a Managed Identity from a Kubernetes Pod. This will allow components on the cluster to access the secrets stored in Azure Key Vault.

Prerequisites to the deployment are:

The Key Vault provider for Secrets Store CSI Driver add-on installed in the cluster.
An Key Vault with two secrets named organization-url and personal-access-token, both of type secret.
A Managed Identity (system or user managed) with the Key Vault Secrets User role on the Key Vault.

# values.yaml
secret:
  create: true
  azureKeyVault:
    enabled: false
    managedIdentityId: MY_MANAGED_IDENTITY_ID
    name: MY_KEY_VAULT_NAME
    tenantId: MY_TENANT_ID

Other distributions

Disable the secret creation in the Helm chart, and integrate yourself with your own secret management solution.

# values.yaml
secret:
  create: false

Azure Container Apps (Bicep)

Bicep is not supported out of the box. But, integration between Azure Key Vault and Azure Container Apps is native and can be done in an hour. See the documentation.

Last updated on May 6, 2025

Build ASP.NET applications