Cannot acces keyvault secrets through service endpoint in a VSTS release
We're trying to download secrets with the download key vault secrets release task in VSTS.
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error:
Access denied. Specified Azure endpoint needs to have Get, List secret
management permissions on the selected key vault. To set these
permissions, download ProvisionKeyVaultPermissions.ps1 script from
build/release logs and execute it OR set them from Azure portal.
azure azure-devops azure-pipelines-release-pipeline azure-keyvault arm-template edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
asked Jun 21 '18 at 12:29
fvlfvl
161
add a comment |
We're trying to download secrets with the download key vault secrets release task in VSTS.
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error:
Access denied. Specified Azure endpoint needs to have Get, List secret
management permissions on the selected key vault. To set these
permissions, download ProvisionKeyVaultPermissions.ps1 script from
build/release logs and execute it OR set them from Azure portal.
azure azure-devops azure-pipelines-release-pipeline azure-keyvault arm-template edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
asked Jun 21 '18 at 12:29
fvlfvl
161
add a comment |
We're trying to download secrets with the download key vault secrets release task in VSTS.
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error:
Access denied. Specified Azure endpoint needs to have Get, List secret
management permissions on the selected key vault. To set these
permissions, download ProvisionKeyVaultPermissions.ps1 script from
build/release logs and execute it OR set them from Azure portal.
azure azure-devops azure-pipelines-release-pipeline azure-keyvault arm-template edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
asked Jun 21 '18 at 12:29
fvlfvl
161
We're trying to download secrets with the download key vault secrets release task in VSTS.
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error:
Access denied. Specified Azure endpoint needs to have Get, List secret
management permissions on the selected key vault. To set these
permissions, download ProvisionKeyVaultPermissions.ps1 script from
build/release logs and execute it OR set them from Azure portal.
azure azure-devops azure-pipelines-release-pipeline azure-keyvault arm-template azure azure-devops azure-pipelines-release-pipeline azure-keyvault arm-template edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
asked Jun 21 '18 at 12:29
fvlfvl
161
edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
asked Jun 21 '18 at 12:29
fvlfvl
161
edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
edited Jun 21 '18 at 12:56
Sailendra Kumar Dhal
1,064924
1,064924
asked Jun 21 '18 at 12:29
fvlfvl
161
asked Jun 21 '18 at 12:29
fvlfvl
161
asked Jun 21 '18 at 12:29
fvlfvl
161
161
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
add a comment |
You need to set premission for the correct principal selected.
And the pricipal format as:
account-<VSTS project name you are build/deploy>-ID
Deatil steps to set permission as below:
In Azure protal -> go to the Azure key vault -> Access policies -> Add new -> select tem plate and sepecify premissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
add a comment |
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps.
Mark.
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f50968613%2fcannot-acces-keyvault-secrets-through-service-endpoint-in-a-vsts-release%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
add a comment |
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
add a comment |
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
0) Go to your variables library
1) Tick on Link secrets from an Azure key vault as variables
2) Select subscription
3) Select key vault
4) Click Authorize
ACLing will be done by MS and you'll be able to use key vault task.
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....
Issue tracked here
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
edited Oct 24 '18 at 13:02
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
answered Aug 20 '18 at 12:49
MardoxxMardoxx
2,29231741
2,29231741
add a comment |
add a comment |
You need to set premission for the correct principal selected.
And the pricipal format as:
account-<VSTS project name you are build/deploy>-ID
Deatil steps to set permission as below:
In Azure protal -> go to the Azure key vault -> Access policies -> Add new -> select tem plate and sepecify premissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
add a comment |
You need to set premission for the correct principal selected.
And the pricipal format as:
account-<VSTS project name you are build/deploy>-ID
Deatil steps to set permission as below:
In Azure protal -> go to the Azure key vault -> Access policies -> Add new -> select tem plate and sepecify premissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
add a comment |
You need to set premission for the correct principal selected.
And the pricipal format as:
account-<VSTS project name you are build/deploy>-ID
Deatil steps to set permission as below:
In Azure protal -> go to the Azure key vault -> Access policies -> Add new -> select tem plate and sepecify premissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
You need to set premission for the correct principal selected.
And the pricipal format as:
account-<VSTS project name you are build/deploy>-ID
Deatil steps to set permission as below:
In Azure protal -> go to the Azure key vault -> Access policies -> Add new -> select tem plate and sepecify premissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.
Then deploy again in VSTS release, it can download the Azure key vault successful.
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
answered Jun 22 '18 at 5:47
Marina Liu - MSFTMarina Liu - MSFT
22.8k21729
22.8k21729
add a comment |
add a comment |
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps.
Mark.
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
add a comment |
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps.
Mark.
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
add a comment |
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps.
Mark.
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.
I had to allow access for "all networks" to work around this for now as the simplest solution.
The other safer option using an agent task and not a variable group is to..
- Have your own agent pool in an Azure VM
- Either..
- Connect this to a private vnet which is also connected to the KeyVault or...
- Whitelist the agent's public endpoint in the keyvault
- Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).
Hope this helps.
Mark.
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
answered Nov 10 '18 at 21:15
MarkDMarkD
313314
313314
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f50968613%2fcannot-acces-keyvault-secrets-through-service-endpoint-in-a-vsts-release%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown