Get Azure Principal ID for AzDO

DmitriyRyabin
January 3, 2023
253 views
0 votes
2 Answers

There are many questions similar to mine, but I hit a wall finding what I want, please help.

I am running Azure Dev ops pipeline within the organization "MyOrganization" and in the project "MyProject". The service connection or subscription I am connected to is "Subscription-Id" (something like this: abc123-def456..xyz3265)

Pipeline has several tasks.
The first task is a powershell taks that creates Azure Resource Group and then an Azure Key vault. (NewKeyVault)
Second task, will scan another existing key vault (SourceKeyVault) and copy its secrets into the NewKeyVault. I know how to do this and it works just fine when I run the powershell tasks from within my PCwhen I explicitly log in with my log in to azure.
Howerer, here when ran under Azure Dev Ops pipleline, I get error that the "logged in" user has no permissions to Create, get list, etc.. to the secrets.
I want to automatically assign access policy to newly created key vault.
If using the web portal, I can see the Devops as a registered application and can do it. I don’t know how to access it from within power shell task within the devops running pipeline.

Answers

Chosen as BEST ANSWER
- DmitriyRyabin
- January 6, 2023 at 5:08 pm
- 0 votes
0
I was able to resolve an issue in a simple manner - I am using Azure Power shell script that creates the key vault itself
```
New-AzKeyVault -VaultName $newKvName -ResourceGroupName $resourceGroupName -Location $location
```
(all the variables referenced with $ are arguments passed to the script)

And then I get the context for a logged in principal (AzDevOps pipeline is a principal in itself, registered in Azure AD)
```
#This gives a context object, which has principal 
 #id as a property of.
$Context = Get-AzContext
```
Then I set that principal as access policy
```
Set-AzKeyVaultAccessPolicy -VaultName $newKvName -ServicePrincipalName $Context.Account.Id -PermissionsToSecrets Get,List,Set
```

(Edit)

- AlvinZhaoMSFT
- January 4, 2023 at 4:14 am
- 0 votes
0
Based on your expectation, you may consider using the Azure CLI pipeline task, where you can run az keyvault set-policy command to configure keyvault access policies for specific user.
```
az keyvault set-policy -n $(TheAzureKeyVaultName) --secret-permissions get list --object-id $(UserPrincipalGUID)
```
See more information on az keyvault set-policy.
```
steps:
- task: AzureCLI@2
  displayName: 'Azure CLI '
  inputs:
    azureSubscription: 'ARM_Svc_Cnn_Auto_Sub1'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: 'az keyvault set-policy -n $(TheAzureKeyVaultName) --secret-permissions get list --object-id $(UserPrincipalGUID)'
```
This task requires to use the Azure Resource Manager service connection to authenticate and login Azure.

For the automatically created ARM service connection, you can use this API to find out which service principal that the ARM service connection is referenced to az login.

In my case, the ARM service connection is referencing the service principal MyDevOpsOrg-TheProjectName-MySubID which is the contributor of my target KeyVault (inherited from subscription) and has sufficient permission to set key vault access policy.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.