Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cannot acces keyvault secrets through service endpoint in a VSTS release

Tags:

azure

azure-devops

azure-pipelines-release-pipeline

azure-keyvault

arm-template

We're trying to download secrets with the download key vault secrets release task in VSTS.

The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.

I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:

2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error: Access denied. Specified Azure endpoint needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it OR set them from Azure portal.

like image 604
fvl Avatar asked Jun 21 '18 12:06

fvl

People also ask

How do I use key vault in release pipeline Azure?

Search for vault and select the Azure Key Vault task. Select your Azure subscription and then select Authorize. Select your Key vault from the dropdown menu, and then select Add to add the task to your YAML pipeline. The Make secrets available to whole job feature is not supported in Azure DevOps Server 2019 and 2020.

How do I access Azure key vault secrets?

Retrieve a secret from Key VaultUse https://<your-unique-keyvault-name>.vault.azure.net/secrets/ExamplePassword to get the current version. Now, you have created a Key Vault, stored a secret, and retrieved it.

2 Answers

0) Go to your variables library

1) Tick on Link secrets from an Azure key vault as variables

2) Select subscription

3) Select key vault

4) Click Authorize

ACLing will be done by MS and you'll be able to use key vault task.

I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....

enter image description here

Issue tracked here

like image 111
Mardoxx Avatar answered Sep 21 '22 10:09

Mardoxx

The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).

The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.

Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.

I had to allow access for "all networks" to work around this for now as the simplest solution.

The other safer option using an agent task and not a variable group is to..

  1. Have your own agent pool in an Azure VM
  2. Either..
    1. Connect this to a private vnet which is also connected to the KeyVault or...
    2. Whitelist the agent's public endpoint in the keyvault
  3. Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).

Hope this helps. Mark.

like image 44
MarkD Avatar answered Sep 22 '22 10:09

MarkD
Sign in to Comment

Related questions

How to get Hangfire started ("always on") in Azure shared hosting?
Azure Mobile service : where is application key
Hit Highlighting in Azure Search Service
Verifying JWT from Azure Active Directory
Azure WebJobs: Is it possible to retrieve the Host Url programmatically in the console app?
how to schedule a stored procedure in AZURE
How to change a clustered index in Entity Framework 6.1 Code First model and apply it to an Azure database
Design in Query Editor disabled for Azure databases
Unable to get Azure storage key from storage resource in ARM template
Troubleshoot Azure Inbound Security Rule Not Working
Azure Web App Error, No such host is known
Azure Search and Dashes
Fix "Unable to check the status of the firewall" of `Set-WSManQuickConfig`
Azure Storage - File on Public URL
Azure Fluent API Error creating SQL Server - Missing x-ms-request-id header
Can't find Azure Functions when setting up new project in VS 2017
Azure App Functions file system
Is Azure Traffic manager is reliable for failover? what are other problems I should be worried about?
How to ssh to Azure VM using private IP address from internet
Failure to generate access token using refresh token for O365 API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!