Using a service principal I am trying to update the secret value of keyvault. The service principal does have all the permissions to update the secret value. This code is working
in the local machine in Powershell ISE, but not in the pipeline.
This is the code I am using
$secretvalue = ConvertTo-SecureString $MyPat -AsPlainText -Force
$SecuredApplicationSecret = ConvertTo-SecureString "$AzureApplicationSecret" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($AzureApplicationId , $SecuredApplicationSecret)
Connect-AzAccount -Credential $psCred -TenantId $AzureTenantId -ServicePrincipal
$secret = Set-AzKeyVaultSecret -VaultName $keyvaultName -Name $secretName -SecretValue $secretvalue -Expires $validToDate
The error that I am getting is:
Error: The client ‘#’ with object id ‘#’ does not have authorization to perform action ‘Microsoft.KeyVault/vaults/write’ over scope ‘/subscriptions/#/resourceGroups/#providers/Microsoft.KeyVault/vaults/#’ or the scope is invalid. If access was recently granted, please refresh your credentials.
Kindly help me resolve this issue so that the code also works in the Azure DevOps pipeline.
2
Answers
You can try with Azure Powershell task in Azure DevOps and don’t forget to add the agent to use the oAuth token. It should work as well.
Azure Powershell task
Choose Azure Powershell Script Task
Enable Allow scripts to access the OAuth token
Please go to your Key Vault -> Access control (IAM) -> Role assignments. Search for the service principal you are using with its name. Please check the role of your service principal. You can assign it with "Key Vault Administrator" role for test. Then run the pipeline again to see if it works.
In addition to using "Update-AzKeyVaultSecret", you can also use Azure CLI to update the secret. You will use az login to sign in with a service principal and use az keyvault secret set to update your secret.