Authorize button when Linking Variable Group to Azure Key Vault in Azure DevOps is not working - why?

Question

I am trying to link Azure Key Vault secrets to a variable group in Azure Pipelines (part in Azure DevOps). Microsoft documentation here.

However, the "Authorize" button does not seem to work. It spins endlessly. Screenshot.

My target Azure Key Vault already has the service principal included in its access policy with Get and List permissions. Screenshot.

Anyone seen this issue before?

Answer 1

Firstly, please make sure the service connection is working correctly. Then refresh the page and try it again. Alternately you can also try in browser inprivate session.

Just as the message said "The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault."

Basically, we need to click the "Authorize" button to enable Azure Pipelines to set these permissions for the specific service connection.

If that doesn't work, we can also manually set the permissions for the specific service connection.

1. Go to Project settings - > Service connections -> Select the specific ARM service connection

2. Click Edit to popup the Update Authentication for xxx dialog

3. Click the "use the full version of the service connection dialog." link, to get the Service principal client ID

4. Go to your key vault in Azure portal -> Access Policies -> Add a new Access Policy -> Select a template (e.g Key&Secret Management) - > Select Get, List for Secret permissions.

5. Click Select Principal -> Copy and paste the Service principal client ID to search the user/application -> Select the searched user/application

6. After that you can see the new APPLICATION access policy.

   Try it again after successfully adding the application access policy.

---

UPDATE:

Generally in Azure DevOps we need to create a ARM service connection (the client which can access the azure sources) first before deploying an Azure Key Vault through an ARM template.

Actually when you select the Azure subscription then click Authorize in Azure resource group deployment task , the ARM service connection is created automatically. You just need to check the AppID and get the ObjectID to use in the ARM template.

We can get the Service principal client ID (AppID) by following above steps. After that we can get ObjectId by the AppID with running the following command: (See Find service principal object ID using PowerShell for details.)

$(Get-AzureADServicePrincipal -Filter "AppId eq 'a89c3dee-f5bf-4ea1-a805-d4c729a4add3'").ObjectId 

Then you can specific the ObjectId when deploying the Azure Key Vault through an ARM template.

Answer 2

This workaround also seems like a bug for Azure Key Vault deployments using ARM templates.

If the service principal in question is added to the Azure Key Vault (AKV) access policies through an ARM template by referencing the service principal's Object ID (as Microsoft documentation calls for), permission errors with Azure Pipelines follow.

However, if I manually add the service principal to the AKV's access policies by referencing the service principal's application (client) ID, the permissions errors go away entirely.

Again, feels like a bug. And now my automated deployment pipeline doesn't quite work because of this manual step.

Also, in the AKV ARM template, if I were to combine the mandatory field objectId with the optional field applicationId, the service principal shows up as a "compound identity". That does not fix the permissions issues in Azure Pipelines. I do not see a way of adding a service principal properly without doing it manually.