I made keyvault private
Networking Blade in Keyvault
So when i tried to execute release pipeline it saying error like
Error Mail
what will be the solution for this problem.
How can we access the keyvault secrets if we made private?
I made keyvault private
Networking Blade in Keyvault
So when i tried to execute release pipeline it saying error like
Error Mail
what will be the solution for this problem.
How can we access the keyvault secrets if we made private?
2
Answers
I have tried to repro the same using the below steps and got positive results.
Step 1: Create Azure key vault and change network settings to Allow public access from specific virtual networks and IP addresses.
Step 2: Identify the region of your organization in your Ado organization settings as shown below.
When running the pipelines, if you choose the azure hosted agent, it will pick the agents from the location where the organization was hosted. In my case, it is Central US.
So, to establish the connectivity between the Azure key vault and ADO agents we must whitelist all the IP addresses of those agents in the Central US in the networking tab of the Azure key vault.
Kindly go through this link for detailed steps to help in identifying IP addresses.
You can download a JSON file from this link which contains the IP addresses of the azure hosted agents in the Azure key vault.
Step 3: Add the Azure key vault task and run the pipeline to see the result.
I am adding this answer as per your last comment. Do let me know if it works or I will remove it.
Yes, the IP addresses will change weekly as per this Microsoft documentation Microsoft-hosted agents for Azure Pipelines – Azure Pipelines | Microsoft Learn. So, it is recommended to check frequently at least once a week. If your Ado pipeline fails in the key-vault step, the first action is to verify the whitelisted IP addresses with the newly published weekly JSON file (which contains IP addresses).· I didn’t find any issues while adding IPs in the key vault.· (For the second comment)
Step 1: Download and open the file in notepad or any other text editor.
Step 2: Hit ctrl+f and enter ado organization location as an input. In my case, it is Central US.
Add only IPV4 addresses as the key vault not accepting IPV6 addresses today.
Note: As per the Microsoft documentation, we must add all the IPs of the machines in that geography where the devops organization was hosted. Please see the below screenshot. But for me it is working, only if I add only regional addresses also.