how can i make azure devops as trusted service?

Question

I setup private endpoint for my azure Keyvault and it's working fine and the secrets are accessible through our VPN but the problem is that in our azure pipelines, the build agents are not able to access Keyvault secrets anymore. how can i make it a trusted service?

Answer 1

You cannot personally add a trusted service. There is a limited set Azure Trusted Services for Key Vault:

https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services

DevOps is specifically called out as a not-trusted service:

The trusted services list does not cover every single Azure service. For example, Azure DevOps is not on the trusted services list. This does not imply that services that do not appear on the trusted services list not trusted or insecure. The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service.

https://learn.microsoft.com/en-us/azure/key-vault/general/network-security

Answer 2

If you are using Microsoft hosted agent, you need to grant the hosted agents access through the firewall. Because Azure DevOps uses the Azure global network, IP ranges vary over time. We publish a weekly JSON file listing IP ranges for Azure datacenters, broken out by region. Which means you need to grant access for Microsoft hosted agent weekly. Please refer to Networking for details.

Therefore, self-hosted agent could be a good choice. You could set up a self-hosted agent under the same network. There is the instruction for Self-hosted Windows agents.