We have set up a connection between Azure DevOps and Azure Key Vault via Service Connections (service principal authentication). However in order for it to work we need to have the Azure Key Vault -> Networking marked as Allow access from: All networks. Given that we store secrets here we would like to use the option Private endpoint and selected networks instead with Allow trusted Microsoft services to bypass this firewall? set to Yes.
Like this:
However this results in the error on Azure DevOps -> Pipelines -> Library:
The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal.
If we set Allow access from: All networks for the Azure Key Vault it works as previously stated but we would like to avoid this if possible.
Setting up an Azure Key Vault Task in Pipeline
or setting up an Variable group and then switching back to Private endpoint and selected networks results in a similar error on deploy.
MyKey: "Client address is not authorized and caller is not a trusted service.\r\nClient address: 111.222.333.44\r\nCaller: appid=;oid=00000000-0000-0000-0000-000000000000;iss=https://sts.windows.net//\r\nVault: My-Vault;location=northeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."
Client address is unfortunately new every time as expected but oid and iss values are the same. According to documentation only IPv4 address or CIDR can be added to the Firewall. Is there any way to mark Azure Agents as trusted Microsoft services or is this a bad practice? It does seem way safer than All networks though.
