Azure DevOps pipeline variable group cannot list Key Vault

0
votes

I have Azure DevOps pipeline variable group, which cannot list Key Vault. However pipeline can set secrets. What could be wrong?

NOT FINDING KEY VAULT AT ALL:

- Create Variable Group in Library of Azure DevOps
- Select Service Principal as Subscription
- No Key vault instance is listed in drop down

KEY VAULT ACCESS POLICY

- Application: Service Principal
- Key Permission: List
- Secret Permission: Get, List, Set

WORKING CODE IN PIPELINE:

$ConnectionString = az storage account show-connection-string -g $(resource-group) -n sa$(project- 
name)$(environment) -o "tsv"
$CurrentConnectionString = az keyvault secret show --name StorageAccountConnectionString --vault-name 
$(key-vault-name) --query value -o "tsv"
          if (!($ConnectionString -eq $CurrentConnectionString)) {
            az keyvault secret set -n StorageAccountConnectionString --vault-name $(key-vault-name) --value $ConnectionString -o none
          }
          else {
            write-host("Secret already in key vault!")
          }
1
azure-devopsazure-pipelinesazure-keyvault
I shared some troubleshooting methods in the answer, you can refer to it. If it doesn't work, you may check if there are any error message on the UI page and share the service connection connection method(auto / manual)Kevin Lu-MSFT

1 Answers

1
votes

As far as I know, if you have set the Secret Permission: Get, List for the Service Principal, it could have access to use the Azure Key Vault in Azure Devops.

Since you couldn't see the Key Vault name in the drop downlist, you could try to check the Azure Service connection.

If you are using Service principal (manual)to create service connection, you need to make sure that the Service Principal is under the correct Azure Subscription.

enter image description here

On the other hand, you could create a new Service Principal with the following Azure Powershell script.

az account set --subscription <Azure-SubscriptionId>

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"

Then you could set the Key vault permission for the new Service Principal and use it in Azure Devops Service connection.

You could also try to use the Service principal (automatic) Azure Devops Service connection and check if it could see the keyvault.

enter image description here