Reputation: 419
Azure Key Vault loses the name of my application within the Access policies
I use an Azure Key Vault to store secrets that I retrieve and use during the runtime of my DevOps Pipelines. My DevOps project used the Azure Subscription required for this, registered and authorized by Azure Resource Manager (Workload Identity Federation). After authorization, I can also easily view the secrets from the Azure Key Vault via the DevOps Library and use them from there. The connection is also displayed in Microsoft Entra ID as an application with a display name My-application and correct ID. The application is also visible in the Azure Key Vault with the Get and List authorizations in the section Access policies.
On the second run of my DevOps pipeline, the application name loses its validity. The application can no longer be resolved within the Access policies. In the Key Vault, the application is displayed as "unknown" and also with other rights that were automatically configured via Azure Resource Manager
Error in my pipeline during pre-job download secrets:
"The user, group or application 'appid=***;oid=ce890xxc-97xx-4703-bxx8-26exxa3c39xx;iss=https://sts.windows.net/<tenant>/' does not have secrets get permission on key vault
Application is no longer recognized:
If I update the Azure Resource Manager connection via DevOps Service Connections, this is corrected again and I can fix the error until the next run. The pipeline has remained unchanged for a long time. Why does Microsoft Entra ID lose the identity of this service connection after a single use?
Upvotes: 0
Views: 252
Answers (1)
Reputation: 8195
It looks like you are facing a transient issue, Make sure you do not change the service principal once its applied in the Access Policy of Key vault. And try to log into your Azure portal InPrivate tab to avoid cache related issue. You can also switch to RBAC based access control for key vault instead of Access policy and add your application Key vault administrator role to access key vault secrets:-
I created one Azure DevOps ARM service connection for one of the existing Azure AD Service principal and added it to the Access policy of Key vault:-
My Service principal:-
Azure Devops Service Connection:-
Added powershell application Get, List, permission in the Access Policy:-
Key vault secret:-
Task running first time:-
My Yaml pipeline:-
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: 'PowershellSid'
KeyVaultName: 'siliconkeyvault84'
SecretsFilter: '*'
RunAsPreJob: false
Access Policy:-
Second Run:-
The Application remained as it is and did not change to Unknown:-
Make sure your Application is registered and created properly in Azure AD.
Upvotes: 0
Related Questions
- How to add new secrets (from Azure Key Vault) to the variable group in Azure Devops
- Grant Azure Devops ARM Service Connection access to Key Vault
- Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline
- Azure DevOps -> Pipelines -> Library -> Access Azure Key Vault -> Key Vault not allowing access from all networks
- Azure Key Vault permission issue
- Problems with Azure Key Vault Access Policies when running Terraform Apply
- Azure DevOps - ARM deployment - Key Vault and Managed Identities
- Azure Key Vault access policies and Managed Identities (ARM templates)
- How to use compound identity to authenticate with Azure to access Azure Key Vault
- Setting keys in Azure Key Vault without PowerShell