Reputation: 70186
Azure DevOps -> Pipelines -> Library -> Access Azure Key Vault -> Key Vault not allowing access from all networks
We have set up a connection between Azure DevOps and Azure Key Vault via Service Connections (service principal authentication). However in order for it to work we need to have the Azure Key Vault -> Networking marked as Allow access from: All networks. Given that we store secrets here we would like to use the option Private endpoint and selected networks instead with Allow trusted Microsoft services to bypass this firewall? set to Yes.
Like this:
However this results in the error on Azure DevOps -> Pipelines -> Library:
The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal.
If we set Allow access from: All networks for the Azure Key Vault it works as previously stated but we would like to avoid this if possible.
Setting up an Azure Key Vault Task in Pipeline
or setting up an Variable group and then switching back to Private endpoint and selected networks results in a similar error on deploy.
MyKey: "Client address is not authorized and caller is not a trusted service.\r\nClient address: 111.222.333.44\r\nCaller: appid=;oid=00000000-0000-0000-0000-000000000000;iss=https://sts.windows.net//\r\nVault: My-Vault;location=northeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."
Client address is unfortunately new every time as expected but oid and iss values are the same. According to documentation only IPv4 address or CIDR can be added to the Firewall. Is there any way to mark Azure Agents as trusted Microsoft services or is this a bad practice? It does seem way safer than All networks though.
Upvotes: 9
Views: 9547
Answers (4)
Reputation: 471
I have faced the same issue and looks like this is still an open item for Azure Team.
Issue: Azure DevOps -> Pipelines -> Library -> Access Azure Key Vault throwed error: "Specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault."
P.S.: The service principal has given contributor access through RBAC and secret "Get", "List" permission using Access policy.
Cause: I have identified that this issue is due to the public access disabled configuration at Key Vault network setting.
Solution: Whitelisting the respective regional Devops service IP Address. Bur for this solution to work we need tp update the Key Vault firewall configuration "Allow Public access from specific virtual network and IP Address".
Upvotes: 0
Reputation: 550
I went for the whitelist IP approach. Since, the IPs get updated weekly. I created two pipelines that run weekly. One to add the IP and 2nd to remove the IPs.
I've added the Azure CLI task in the pipeline and added the following lines:
Write-Host "Retrieve IPs for <region>"
$aeServiceTags = az network list-service-tags --location australiaeast | ConvertFrom-Json
$aeRegion = $aeServiceTags.Values | Where-Object {$_.name -eq 'AzureCloud.<add the region name>'}
$aeIps = $aeRegion.Properties.AddressPrefixes
Write-Host "Filter by IPv4"
$aeIps = $aeIps | ? { $_ -match '([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[/][0-9]+' }
Write-Host "Adding the IP for the associated key vault"
az keyvault network-rule add --name "<key vault name>" --ip-address $aeIps
At the end of the pipeline, I delete the same IP to make sure it's updated
Write-Host "Retrieve the current IP for this key vault"
$buildIP = az keyvault network-rule list --name "<key vault name>" | ConvertFrom-Json
Write-Host "Remove the current IP for the associated key vault"
az keyvault network-rule remove --name "<key vault name>" --ip-address $buildIP.ipRules.value
*Make sure the service connection is setup first
Upvotes: 0
Reputation: 608
This is still an open issue - Issue
Probably some of the solutions are as mentioned in the URL
add a task in your pipeline and whitelist IP of your agent and then once you have the values from keyvault remove th whitelist.
WhiteList Azure DevOps IP list weekly maybe but again that seems unreliable
What @Grand suggested is also one of the solutions actually.
Upvotes: 5
Reputation: 164
(Update after author comment)
Are you using Microsoft hosted agents? They are being dynamic, maybe you could host agent on a vm in Azure instead. You will know IP of the machine and allow it in KV settings.
Check out Self-Hosted Agents in Microsoft docs.
Upvotes: 1
Related Questions
- Unable to access keyvault from Azure DevOps from a different resource description
- Problems with Azure Key Vault Access Policies when running Terraform Apply
- Azure key vault and local development
- How to access Azure Key Vault with Network Security Policy enables?
- Azure Key Vault returns 403 with "This TCP connection does not allow access to {host}"
- Azure DevOps pipeline variable group cannot list Key Vault
- Azure Keyvault 'unknown' access policy
- Azure DevOps Build Pipeline can't get secrets from Key Vault when secured with vnet and firewall
- Unable to access Key-Vault using Azure Portal
- Azure KeyVault: SPN KeyVault Access Denied