Reputation: 988
Unable to access Azure Key vault secret in a powershell script running on Azure Devops
I have a powershell script that attempts to retrieve a secret stored in Azure key vault using this command.
$password = (Get-AzureKeyVaultSecret -vaultName $vaultName -name $secretName).SecretValueText
It is working perfectly fine when I execute my powershell script locally. But, when I try to do the same on Azure Devops, it fails giving below error.
[error]Operation returned an invalid status code 'Forbidden'
I feel it isn't an access policy issue, as I am able to successfully perform read/write on my vault using powershell script running locally.
Upvotes: 2
Views: 1197
Answers (1)
Reputation: 2929
I'm quite sure it is a access policy issue.
Go to your DevOps Project Settings - Pipelines - Service Connections and click on "Update Service Connection" (Use the full version of the dialog). There you can find the Subscription Id and Service Principal ID.
You then have to give explicit permissions to this SPN:
Login-AzureRmAccount -subscription <YourSubscriptionID>
$spn= Get-AzureRmADServicePrincipal -spn <YourSPN>
Set-AzureRmKeyVaultAccessPolicy -VaultName <YourVaultName> -ObjectId $spn.Id -PermissionsToSecrets get,list;
Upvotes: 5
Related Questions
- How to use key vault secret on Powershell that run on DevOps pipeline
- Azure Powershell secure secret value
- How to get keyvault secret output in Azure DevOps
- Azure Key Vault: Secret not found error
- Dynamicallly get KeyVault secret in Azure DevOps Powershell script
- Add/get secret to Azure Keyvault with Azure powershell task in Azure devops
- Azure Cloud Shell Always Returns Null For $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName Command
- How to write a secret to azure key vault from Azure DevOps pipeline?
- Error retrieving key vault secret from Azure Powershell Function app
- How to get Azure Key Vault secret using powershell with certificate auth?