Reputation: 181
Cannot acces keyvault secrets through service endpoint in a VSTS release
We're trying to download secrets with the download key vault secrets release task in VSTS.
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error: Access denied. Specified Azure endpoint needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it OR set them from Azure portal.
Upvotes: 13
Views: 14854
Answers (5)
Reputation: 2416
I had the very same problem to MarkD, but I didn't want to keep the all networks option enabled. So I found the list of IPs you need to allow according to your region:
Region IP V4 ranges
Australia East 20.37.194.0/24
Australia South East 20.42.226.0/24
Brazil South 191.235.226.0/24
Central Canada 52.228.82.0/24
Asia Pacific (Singapore) 20.195.68.0/24
South India 20.41.194.0/24
Central United States 20.37.158.0/23
West Central United States 52.150.138.0/24
East United States 20.42.5.0/24
East 2 United States 20.41.6.0/23
North United States 40.80.187.0/24
South United States 40.119.10.0/24
West United States 40.82.252.0/24
West 2 United States 20.42.134.0/23
Western Europe 40.74.28.0/23
United Kingdom South 51.104.26.0/24
Just locate the IP range of your resource location and input in the field Number 3 in the screenshot below. Don't forget to save (Number 4).
Upvotes: 2
Reputation: 541
When the error's still showing up.
Navigate to your Azure key vault. Check your Access policies
*If the Azure role-based access control is selected
- Under Azure DevOps project > Project Settings > Service connections > selected Service Principal > click the Manage Service Principal.
- Take note of the service principal name in Azure
- Navigate to your Azure key vault.
- Under Access Control (IAM), click add role assignment
- Select Key Vault Secrets User. Click next.
- Select Members. Look for your Service Principal (in step 1)
- Then review + assign
- Click Authorize again in Dev Ops
*If the vault access policy is selected
- Go back to Azure DevOps, then click the Authorize button twice
Upvotes: 11
Reputation: 38106
You need to set permission for the correct principal selected. And the principal format as:
account-<VSTS project name you are build/deploy>-ID
Detail steps to set permission as below:
In Azure portal -> go to the Azure key vault -> Access policies -> Add new -> select template and specify permissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
Upvotes: 4
Reputation: 1711
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps. Mark.
Upvotes: 4
Reputation: 4482
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
Upvotes: 9
Related Questions
- VSTS Build Pipeline: Test fails connecting to Azure Key Vault
- Unable to access keyvault from Azure DevOps from a different resource description
- Get Azure KeyVault Secrets from the KeyVault to an App Service using ARM Templates
- Azure DevOps Build Pipeline can't get secrets from Key Vault when secured with vnet and firewall
- Not able to print the Azure-Keyvault secret in the release pipeline
- Creating Kubernetes Endpoint in VSTS generates error
- Integrating KeyVault access into VSTS Release task
- VSTS - Azure end point issue
- Xamarin.iOS VSTS Failed to add the temporary keychain to the keychains search path
- The KeyVault API rest call failed as part of ARM deployment