How to use Azure Secure Files to Store a Server Key and Use It in the Pipeline to Deploy in Salesforce

We asked Kuldeep Singh – Senior Salesforce Developer at Bluewave, to put together an instructional guide on a crucial aspect of Salesforce deployment. In this blog post, he’ll discuss how to create a sample pipeline YAML code that deploys code in Salesforce. This step by step walkthrough will also include examples and code excerpts. Read on for more information, in Kuldeep’s own words.


Salesforce is a popular CRM platform that provides businesses with powerful tools for managing their customer relationships. One of the key features of Salesforce is its ability to integrate with other systems and applications, including source code repositories and deployment pipelines. In this blog post, I’ll take you through a sample pipeline YAML code that deploys code in Salesforce, and I’ll explain the different steps needed, so that you can do it effectively as well. First, let me share the code we’ll be talking about:


batch: true
- master
- force-app/main/default

- job: DownloadSecureFile
displayName: Download Secure File
vmImage: 'ubuntu-latest'
- task: DownloadSecureFile@1
displayName: 'Download server.key'
secureFile: 'server.key'
downloadPath: $(Agent.TempDirectory)/server.key
retryCount: 3
cleanDestinationFolder: true

- task: PublishPipelineArtifact@1
displayName: 'Publish server.key artifact'
artifactName: 'serverKeyArtifact'
path: $(Agent.TempDirectory)/server.key
publishLocation: 'pipeline'

- job: DeployToSandbox
dependsOn: DownloadSecureFile
displayName: Deploy to Sandbox
vmImage: 'ubuntu-latest'
- checkout: self
clean: true

- task: DownloadPipelineArtifact@2
displayName: 'Download server.key artifact'
artifactName: 'serverKeyArtifact'
targetPath: $(Agent.TempDirectory)

- script: |
echo Start the installation process...
npm install --global sfdx-cli
echo 'y' | sfdx plugins:install sfpowerkit
echo Installation done...

# List contents of the secure file directory
ls -la $(Agent.TempDirectory)
cat $(Agent.TempDirectory)/server.key
echo ''

displayName: 'Install SFDX'

- script: |
sfdx force:auth:jwt:grant --clientid $(salesforceDevOrgClientId) --jwtkeyfile "$(Agent.TempDirectory)/server.key" --username $(salesforceDevOrgUserName) --instanceurl $(salesforceDevOrgInstanceURL) -a devOrg
displayName: 'Authorize sandbox'

- script: |
sfdx force:source:convert -r ./force-app -d ./toDeploy
displayName: Convert to deploy source

- script: |
sfdx force:mdapi:deploy -l RunLocalTests -c -d ./toDeploy -u devOrg -w 100
displayName: Run validation on source code


YAML Code Overview

The YAML code shown above contains two jobs: DownloadSecureFile and DeployToSandbox. The first job downloads a secure file, while the second job deploys code to a Salesforce sandbox.


DownloadSecureFile Job

The DownloadSecureFile job is responsible for downloading a secure file containing a server key that will be used to authenticate with Salesforce. This job uses the DownloadSecureFile task to download the secure file and the PublishPipelineArtifact task to publish it as an artifact that can be used in subsequent jobs.

Here’s a breakdown of the key components of this job:

Trigger: This job is triggered by changes to the SystTest branch in the force-app/main/default path of the code repository.

DownloadSecureFile Task: This task downloads the server.key file from the secure files store and saves it to the $(Agent.TempDirectory) folder on the build agent. This file will be used later in the pipeline to authenticate with Salesforce.

PublishPipelineArtifact Task: This task publishes the server.key file as an artifact named serverKeyArtifact to the pipeline.


DeployToSandbox Job

The DeployToSandbox job deploys the code to a Salesforce sandbox using the sfdx CLI. This job depends on the DownloadSecureFile job, so it won’t start until the server key file is downloaded and published as an artifact.

Here’s a breakdown of the key components of this job:

Checkout Task: This task checks out the code from the repository and cleans the workspace to ensure a fresh build environment.

DownloadPipelineArtifact Task: This task downloads the serverKeyArtifact artifact published in the DownloadSecureFile job and saves it to the $(Agent.TempDirectory) folder on the build agent.

Install SFDX Task: This task installs the sfdx CLI, which is used to authenticate and deploy the code to Salesforce.


sfdx force:auth:jwt:grant --clientid $(salesforceDevOrgClientId) --jwtkeyfile "$(Agent.TempDirectory)/server.key" --username $(salesforceDevOrgUserName) --instanceurl $(salesforceDevOrgInstanceURL) -a devOrg


The code above is a script that uses the Salesforce CLI (Command-Line Interface) tool: sfdx, to authorize a Salesforce development org using a JWT (JSON Web Token) authentication flow.


Let’s break it all down:

sfdx: This is the Salesforce CLI command that allows you to interact with Salesforce orgs.

force:auth:jwt:grant: This is a specific command within sfdx that initiates a JWT-based authentication flow.

–clientid $(salesforceDevOrgClientId): This is a required parameter that specifies the Client ID of the Salesforce Connected App that has been configured to allow JWT-based authentication.

–jwtkeyfile “$(Agent.TempDirectory)/server.key”: This is a required parameter that specifies the path to the private key file that is associated with the Connected App. The “$(Agent.TempDirectory)” portion of this parameter refers to the temporary directory of the current environment, where the private key file has been stored.

–username $(salesforceDevOrgUserName): This is a required parameter that specifies the username of the Salesforce org that you want to authorize.

–instanceurl $(salesforceDevOrgInstanceURL): This is a required parameter that specifies the base URL of the Salesforce org that you want to authorize.

-a devOrg: This is an optional parameter that specifies an alias for the authorized org. In this case, the alias is set to “devOrg”.


Additionally, here’s an overview of different tasks:

Authenticate with Salesforce Task: This task authenticates with Salesforce using the server key file downloaded in the DownloadSecureFile job. It uses the sfdx force:auth:jwt:grant command to authenticate with Salesforce using a JSON web token (JWT) and the server key file.

Convert to Deploy Source Task: This task converts the source code to a deployable format using the sfdx force:source:convert command. The output of this task is saved to the toDeploy directory.

Run Validation on Source Code Task: This task runs a validation on the source code using the sfdx force:mdapi:deploy command with the -l NoTestRun flag. This flag tells Salesforce not to run any tests during the deployment. This is useful for quickly deploying changes to a sandbox for testing.

Deploy Code in Salesforce Task: This task deploys the source code to Salesforce using the sfdx force:mdapi:deploy command. This command deploys the code to the devOrg organization using the server key file for authentication.



This pipeline YAML code shows how to deploy code to Salesforce using a server key file stored in Azure Secure Files. By using secure files and pipeline artifacts, you can ensure that your server key file is protected and only accessible by authorized users. And by using the sfdx CLI, you can easily deploy changes to your Salesforce sandbox for testing and validation.

We’d like to thank Kuldeep for his additional to Bluewave’s growing knowledge hub. Please stay tuned for more Salesforce Developer posts, as Kuldeep and his colleagues continue to share their knowledge via this channel. If you’d like to speak to our experts to find out how they use their expert knowledge of the Salesforce ecosystem and its products to benefit your organisation, please contact us here.