Cannot acces keyvault secrets through service endpoint in a VSTS release

6
votes

We're trying to download secrets with the download key vault secrets release task in VSTS.

The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.

I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:

2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed. Error: Access denied. Specified Azure endpoint needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it OR set them from Azure portal.

3
azureazure-devopsazure-pipelines-release-pipelineazure-keyvaultarm-template

3 Answers

6
votes

0) Go to your variables library

1) Tick on Link secrets from an Azure key vault as variables

2) Select subscription

3) Select key vault

4) Click Authorize

ACLing will be done by MS and you'll be able to use key vault task.

I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering. Just sunk 2h in to figuring this out....

enter image description here

Issue tracked here

3
votes

You need to set permission for the correct principal selected. And the principal format as:

account-<VSTS project name you are build/deploy>-ID

Detail steps to set permission as below:

In Azure portal -> go to the Azure key vault -> Access policies -> Add new -> select template and specify permissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.

enter image description here

Then deploy again in VSTS release, it can download the Azure key vault successful.

2
votes

The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).

The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.

Turning on the "Allow trusted Microsoft services to byass this firewall" did not work.

I had to allow access for "all networks" to work around this for now as the simplest solution.

The other safer option using an agent task and not a variable group is to..

  1. Have your own agent pool in an Azure VM
  2. Either..
    1. Connect this to a private vnet which is also connected to the KeyVault or...
    2. Whitelist the agent's public endpoint in the keyvault
  3. Read in variables from the keyvault secrets during the agent process using the KayVault task (i.e. read the secrets as part of the pipeline).

Hope this helps. Mark.