'Cannot acces keyvault secrets through service endpoint in a VSTS release
We're trying to download secrets with the download key vault secrets release task in VSTS.
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error: Access denied. Specified Azure endpoint needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it OR set them from Azure portal.
Solution 1:[1]
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize
button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
Solution 2:[2]
You need to set permission for the correct principal selected. And the principal format as:
account-<VSTS project name you are build/deploy>-ID
Detail steps to set permission as below:
In Azure portal -> go to the Azure key vault -> Access policies -> Add new -> select template and specify permissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName
(such as my VSTS project name is MyTest
in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
Solution 3:[3]
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps. Mark.
Solution 4:[4]
When the error's still showing up.
Navigate to your Azure key vault. Check your Access policies
*If the Azure role-based access control is selected
- Under Azure DevOps project > Project Settings > Service connections > selected Service Principal > click the Manage Service Principal.
- Take note of the service principal name in Azure
- Navigate to your Azure key vault.
- Under Access Control (IAM), click add role assignment
- Select Key Vault Secrets User. Click next.
- Select Members. Look for your Service Principal (in step 1)
- Then review + assign
- Click Authorize again in Dev Ops
*If the vault access policy is selected
- Go back to Azure DevOps, then click the Authorize button twice
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | |
Solution 2 | martijnn2008 |
Solution 3 | MarkD |
Solution 4 | ??? |