Build a Secure Integration Tests with Azure Key vaults in Azure DevOps

Scenario: We have an integration tests written in .NET and its using NUnit, We don’t want to store the API Key and all sensitive informations on the repository instead we want it to retrieve all the keys from azure key vaults. At the same time we also would like the Test Engineer to be able to run it on their local environment

One way to achieve it we can use Test parameters feature from NUnit

Add .runsettings in your project and this file will be used for local development/testing only and should not be checked in with the values, and the format can be something like below. If you want to know more details, you can check it here

<?xml version="1.0" encoding="utf-8" ?>
		<Parameter name="ApiKey" value="" />
		<Parameter name="RefreshToken" value="" />

Most importantly, you need to configure your IDE below

  1. Make sure autodetection of runsettings in enabled in Visual Studio by checking this checkbox: Tools > Options > Test > Auto Detect runsettings Files.
  2. Make sure you have created your runsettings file in the root of your solution, not your project root.
  3. If all else fails and your tests still can’t find your .runsettings file, you can specify the file manually in the Test Explorer by selecting Options > Configure Run Settings > Select solution wide Run Settings file.

For Visual Studio on Mac – you need to do below

Add the runsetting file path to the project file and it will do the work.

<Project Sdk=“Microsoft.NET.Sdk”>

In your test class, you can retrieve the test parameters through TestContext.Parameters

    public class MyTests
        private readonly string _apiKey;
        private readonly string _refreshToken;

        public async Task PopulateConfigs()
            _apiKey = TestContext.Parameters["ApiKey"];
            _refreshToken = TestContext.Parameters["RefreshToken"];


On the Azure Pipelines Yml file, this is how you retrieve it from the keyvaults and inject the TestRun Parameters as arguments

  vmImage: ubuntu-latest

trigger: none
pr: none
- cron: "0 20 * * Sun,Mon,Tue,Wed,Thu"
  displayName: Daily morning build
    - master
  always: true

  - name: dotnetVersion
    value: '7.0.x'

- stage:
  displayName: Run e2e .NET tests
  - job:
    displayName: build job
    - task: UseDotNet@2
      displayName: Use dotnet $(dotnetVersion)
        packageType: sdk
        version: $(dotnetVersion)
    - task: DotNetCoreCLI@2
      displayName: dotnet restore
        command: 'restore'
    - task: DotNetCoreCLI@2
      displayName: 'dotnet build'
        command: 'build'
    - task: AzureKeyVault@2
        azureSubscription: 'My Service Principal'
        KeyVaultName: 'my-keyvault-dev'
        SecretsFilter: '*'
        RunAsPreJob: false
    - task: DotNetCoreCLI@2
      displayName: 'dotnet test'
        command: 'test'
        arguments: '-- "TestRunParameters.Parameter(name=\"ApiKey\", value=\"$(ApiKey)\")" -- "TestRunParameters.Parameter(name=\"RefreshToken\", value=\"$(RefreshToken)\")"'

$(ApiKey) and $(RefreshToken) is mapped with your Azure Keyvault secrets name