Azure DevOps -> Pipelines -> Library -> Access Azure Key Vault -> Key Vault not allowing access from all networks

Question

We have set up a connection between Azure DevOps and Azure Key Vault via Service Connections (service principal authentication). However in order for it to work we need to have the Azure Key Vault -> Networking marked as Allow access from: All networks. Given that we store secrets here we would like to use the option Private endpoint and selected networks instead with Allow trusted Microsoft services to bypass this firewall? set to Yes.

Like this:

However this results in the error on Azure DevOps -> Pipelines -> Library:

The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal.

If we set Allow access from: All networks for the Azure Key Vault it works as previously stated but we would like to avoid this if possible.

Setting up an Azure Key Vault Task in Pipeline

or setting up an Variable group and then switching back to Private endpoint and selected networks results in a similar error on deploy.

MyKey: "Client address is not authorized and caller is not a trusted service.\r\nClient address: 111.222.333.44\r\nCaller: appid=;oid=00000000-0000-0000-0000-000000000000;iss=https://sts.windows.net//\r\nVault: My-Vault;location=northeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."

Client address is unfortunately new every time as expected but oid and iss values are the same. According to documentation only IPv4 address or CIDR can be added to the Firewall. Is there any way to mark Azure Agents as trusted Microsoft services or is this a bad practice? It does seem way safer than All networks though.

Answer 1

This is still an open issue - Issue

Probably some of the solutions are as mentioned in the URL

• add a task in your pipeline and whitelist IP of your agent and then once you have the values from keyvault remove th whitelist.

• WhiteList Azure DevOps IP list weekly maybe but again that seems unreliable

• What @Grand suggested is also one of the solutions actually.

Answer 2

(Update after author comment)

Are you using Microsoft hosted agents? They are being dynamic, maybe you could host agent on a vm in Azure instead. You will know IP of the machine and allow it in KV settings.

Check out Self-Hosted Agents in Microsoft docs.