Is there a way to run this Azure Key Vault task (in Azure DevOps) with a cert?

0
votes

We have SSL inspection turn on in our on-premise environment. We are able to run the self-hosted agent with a cert using this command ".\config.cmd --sslcacert cacert.pem" as you can see from this log:

2019-09-04T20:36:49.2001937Z ##[debug]Agent.CAInfo=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\cacert.pem

However, when we ran the Azure Key Vault task, we are still getting this "Error: self signed certificate in certificate chain." This means the Key Vault task is not using the cert.

Temporary work around for us is to bypass SSL inspection with 2 URLS: login.windows.net xxx-kv.vault.azure.net (actual keyvault task)

Full Debug log when running Azure Key Vault task:

2019-09-04T20:36:48.5271195Z ##[section]Starting: Azure Key Vault: XXX-KV
2019-09-04T20:36:48.5633898Z ==============================================================================
2019-09-04T20:36:48.5634124Z Task         : Azure Key Vault
2019-09-04T20:36:48.5634269Z Description  : Download Azure Key Vault secrets
2019-09-04T20:36:48.5634436Z Version      : 1.155.0
2019-09-04T20:36:48.5634589Z Author       : Microsoft Corporation
2019-09-04T20:36:48.5634739Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
2019-09-04T20:36:48.5634909Z ==============================================================================
2019-09-04T20:36:49.1806715Z ##[debug]agent.TempDirectory=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_temp
2019-09-04T20:36:49.1855381Z ##[debug]loading inputs and endpoints
2019-09-04T20:36:49.1880068Z ##[debug]loading ENDPOINT_AUTH_8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.1896857Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_AUTHENTICATIONTYPE
2019-09-04T20:36:49.1904896Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_SERVICEPRINCIPALID
2019-09-04T20:36:49.1912609Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_SERVICEPRINCIPALKEY
2019-09-04T20:36:49.1919718Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_TENANTID
2019-09-04T20:36:49.1926908Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2019-09-04T20:36:49.1932604Z ##[debug]loading ENDPOINT_AUTH_SCHEME_8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.1938483Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2019-09-04T20:36:49.1944016Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2019-09-04T20:36:49.1951040Z ##[debug]loading INPUT_CONNECTEDSERVICENAME
2019-09-04T20:36:49.1956493Z ##[debug]loading INPUT_KEYVAULTNAME
2019-09-04T20:36:49.1962116Z ##[debug]loading INPUT_SECRETSFILTER
2019-09-04T20:36:49.1976755Z ##[debug]loaded 12
2019-09-04T20:36:49.2000363Z ##[debug]Agent.ProxyUrl=undefined
2019-09-04T20:36:49.2001937Z ##[debug]Agent.CAInfo=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\cacert.pem
2019-09-04T20:36:49.2002201Z ##[debug]Agent.ClientCert=undefined
2019-09-04T20:36:49.2002457Z ##[debug]expose agent certificate configuration.
2019-09-04T20:36:49.2002978Z ##[debug]Agent.SkipCertValidation=undefined
2019-09-04T20:36:49.2361569Z ##[debug]agent.proxyurl=undefined
2019-09-04T20:36:49.2362396Z ##[debug]VSTS_ARM_REST_IGNORE_SSL_ERRORS=undefined
2019-09-04T20:36:49.2363096Z ##[debug]AZURE_HTTP_USER_AGENT=VSTS_dc216ba3-25e9-46a8-823a-fb77a81f2a9f_Release__1792_3286_5
2019-09-04T20:36:49.3499232Z ##[debug]Agent.TempDirectory=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_temp
2019-09-04T20:36:49.3580461Z ##[debug]Setting resource path to C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3582279Z ##[debug]check path : C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3585807Z ##[debug]adding resource file: C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3586610Z ##[debug]system.culture=en-US
2019-09-04T20:36:49.3645635Z ##[debug]ConnectedServiceName=8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.3646702Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data SubscriptionId = e0279acf-930e-4937-abbf-f45670343bcf
2019-09-04T20:36:49.3660205Z ##[debug]KeyVaultName=XXX-KV
2019-09-04T20:36:49.3667591Z ##[debug]SecretsFilter=*
2019-09-04T20:36:49.3674107Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultDnsSuffix = vault.azure.net
2019-09-04T20:36:49.3680310Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalid = ***
2019-09-04T20:36:49.3695138Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth scheme = ServicePrincipal
2019-09-04T20:36:49.3711060Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data subscriptionid = xxx
2019-09-04T20:36:49.3711521Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data subscriptionname = xxx
2019-09-04T20:36:49.3718207Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalid = ***
2019-09-04T20:36:49.3718578Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data environmentAuthorityUrl = https://login.windows.net/
2019-09-04T20:36:49.3723634Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param tenantid = ***
2019-09-04T20:36:49.3724897Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4=https://management.azure.com/
2019-09-04T20:36:49.3725191Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data environment = AzureCloud
2019-09-04T20:36:49.3731459Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth scheme = ServicePrincipal
2019-09-04T20:36:49.3731928Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data msiclientId = undefined
2019-09-04T20:36:49.3732261Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data activeDirectoryServiceEndpointResourceId = https://management.core.windows.net/
2019-09-04T20:36:49.3732543Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultServiceEndpointResourceId = https://vault.azure.net
2019-09-04T20:36:49.3732765Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultDnsSuffix = vault.azure.net
2019-09-04T20:36:49.3732970Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data ScopeLevel = Subscription
2019-09-04T20:36:49.3739455Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param authenticationType = ***
2019-09-04T20:36:49.3739758Z ##[debug]credentials spn endpoint
2019-09-04T20:36:49.3744895Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalkey = ***
2019-09-04T20:36:49.3745190Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data EnableAdfsAuthentication = false
2019-09-04T20:36:49.3749942Z ##[debug]{"subscriptionID":"xxx","subscriptionName":"xxx","servicePrincipalClientID":"***","environmentAuthorityUrl":"https://login.windows.net/","tenantID":"***","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"ServicePrincipal","activeDirectoryResourceID":"https://management.azure.com/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription","authenticationType":"***","servicePrincipalKey":***,"isADFSEnabled":false,"applicationTokenCredentials":{"clientId":"***","domain":"***","baseUrl":"https://management.azure.com/","authorityUrl":"https://login.windows.net/","activeDirectoryResourceId":"https://management.azure.com/","isAzureStackEnvironment":false,"authType":"***","secret":***,"isADFSEnabled":false}}
2019-09-04T20:36:49.3801318Z SubscriptionId: e0279acf-930e-4937-abbf-f45670343bcf.
2019-09-04T20:36:49.3801630Z Key vault name: XXX-KV.
2019-09-04T20:36:49.3804177Z ##[debug]set SYSTEM_UNSAFEALLOWMULTILINESECRET=true
2019-09-04T20:36:49.3806438Z ##[debug]Processed: ##vso[task.setvariable variable=SYSTEM_UNSAFEALLOWMULTILINESECRET;issecret=false;]true
2019-09-04T20:36:49.3807530Z ##[debug]Downloading all secrets from subscriptionId: e0279acf-930e-4937-abbf-f45670343bcf, vault: XXX-KV
2019-09-04T20:36:49.3815679Z Downloading secrets using: https://XXX-KV.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01.
2019-09-04T20:36:49.3837017Z ##[debug][POST]https://login.windows.net/***/oauth2/token/
2019-09-04T20:36:49.8075826Z ##[debug][GET]https://XXX-KV.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01
2019-09-04T20:36:50.1199696Z ##[debug]Processed: ##vso[task.logissue type=error;code=SELF_SIGNED_CERT_IN_CHAIN;]
2019-09-04T20:36:50.1200310Z ##[debug]{"code":"SELF_SIGNED_CERT_IN_CHAIN"}
2019-09-04T20:36:50.1200536Z ##[debug]task result: Failed
2019-09-04T20:36:50.1201010Z ##[error]Get secrets failed. Error: self signed certificate in certificate chain.

expected result: when self-hosted agent is setup to run with the cert, all the tasks executed by the agent should be the same as well.

1
azure-devopsazure-keyvault

1 Answers

0
votes

Is there a way to run this Azure Key Vault task (in Azure DevOps) with a cert?

I am afraid there is no such a way to run the Azure Key Vault task with a cert.

Just like the EagleDev pointed the reason:

You cannot download key in form of a cert file (whether is .pem or .pfx) from Azure Key Vault once the cert is uploaded to Keys store. Keys in Azure Key Vault is used purposely for signing/encrypting/decrypting operation. The return JSON is a format of JWT (Json Web Token) which only contains public part of your stored key. This basically means converting the output to form of PEM or X.509 is not possible.

For the detailed info, you can check the following ticket:

Getting pem file uploaded in Azure Key Vault Keys

Hope this helps.