Link an Azure key vault and map vault secrets to the variable group

user10434309
December 30, 2023
83 views
1 vote
2 Answers

I want to link an Azure key vault and map vault secrets to the variable group, but I am getting the following error:

Specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Set these secret permissions in Azure portal or run the following commands in powershell window.

and a suggestion:

$ErrorActionPreference="Stop";Login-AzAccount -SubscriptionId
**************;$spn=(Get-AzADServicePrincipal
-SPN ****************);Set-AzKeyVaultAccessPolicy -VaultName ********** -ObjectId $spn.Id -PermissionsToSecrets get,list;

But even after giving all the access to the service principle to access the keyvault and applying the suggested solutions

SP access to keyvault

I am still getting the same error.

Tags: azure azure-devops

Answers

- wadezhouMSFT
- December 25, 2023 at 7:52 am
- 0 votes
0
From your screenshot, it appears you are using Vault access policy not Azure RBAC for permission model on Azure Key vault, and the permission has been already granted with secret get, list.

With same permission, the service connection works fine on Azure KeyVault task and Variable group on my side(doc here).

But the error could also happen when firewall restriction is setting on the Azure Key vault, even above permission granted.

Hence please check if you have firewall setting or private endpoint on azure key vault, make sure the agent ip is in the azure key vault whitelist, make sure agent can access it.

Here is the script which i use to dynamically add the agent ip to the key vault whitelist.
```
- task: AzureCLI@2
  inputs:
    azureSubscription: 'ARMConn3'
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $ipAddress = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
      $resourceGroupName = "yourRG"
      $vaultName = "keyvaultname"
      az keyvault network-rule add --name $vaultName --resource-group $resourceGroupName --ip-address $ipAddress
```
If it’s prviate endpoint, you could set self-hosted agent on a machine which has same private endpoint, so it can access the key vault.

Edit:

Add permission screenshots.

The service principal from service connection has contributor role on the key vault which is inherited:

When you link key vault in variable group, the get, List permssion will be automatically assigned to service principal.
Login or Signup to reply.

- KevinLuMSFT
- December 27, 2023 at 3:42 am
- 0 votes
0
Based on the screenshot, you have granted the enough permission to the service Principal.

The issue can be related to the firewall in Azure Key Vault.

When we access the Azure Key Vault from the Azure DevOps site -> Variable Group, it will use the Azure DevOps Public IP to access the Azure Key Vault.

We need to add the Inbound connections to the Azure Key Vault firewall. Then the Variable Group can connect to Azure Key Vault.

Here are the steps:

Step1: The IP range is related to the Organization Region of your organization.

You can check the Organization Region in Organization Settings -> Overview -> Region. Then you can find the related IP range in the doc: Inbound connections.

For example:
```
Asia Pacific    Southeast Asia (Singapore)  20.195.68.0/24
```
Step2: We can enable the option: Allow public access from specific virtual networks and IP addresses and need to add the IP range to Azure Key Vault firewall(Azure Key Vault -> Networking)

For example:

Note: You need to make sure that the Azure Key Vault can be accessed by Public IP. If you have disabled the Public IP in Azure Key Vault, the Variable Group will not be able to connect to Azure Key Vault.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.