How to write a secret to azure key vault from Azure DevOps pipeline?

1
votes

I have created a Key Vault in Azure DevOps using ARM and I now want to write a secret to it within the same pipeline.

I created an Azure PowerShell task with the following inline PowerShell:

$secretvalue = ConvertTo-SecureString $(Secret) -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $(VaultName) -Name $(SecretName) -SecretValue (ConvertTo-SecureString $(Secret) -AsPlainText -Force)

The key vault gets created fine, but I get the following error when trying to write the secret:

[error]Access denied

If I run Set-AzureKeyVaultSecret on my local machine it works fine.

EDIT

Here are some screenshots of what I've done. In Azure DevOps I created a Service Connection and verified it:

enter image description here

Here's what my Azure PowerShell task looks like to write the secret to the vault:

enter image description here

enter image description here

enter image description here

Key Vault permissions:

enter image description here

enter image description here

Do I need a separate Service Principal or do I need to create an App Registration?

2
azurepowershellazure-devopsazure-keyvault

2 Answers

2
votes

Pretty sure you gave rights to the wrong entity. To find the proper entity do this.

Click Manage link in the Azure Subscription field, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.

1
votes

Check your permissions for the service connection to ARM and permissions in your vault. Steps to check are here: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=vsts