1

I have an Azure DevOps and trying to connect to Azure Key Vault using Service principle.

I have added the service principle in the Azure KeyVault's Access Policy with the Secret permission as 'Get & List'

But When I add a Library for a variable group I get this error message which I have done already.

Not sure if I am missing anything as setup.

Specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Set these secret permissions in Azure portal or run the following commands in powershell window.


$ErrorActionPreference="Stop";Login-AzureRmAccount -SubscriptionId XXXXXXXXXXXXXXXX;$spn=(Get-AzureRmADServicePrincipal -SPN YYYYYYYYYYYYYYYYYYYYYY);$spnObjectId=$spn.Id;Set-AzureRmKeyVaultAccessPolicy -VaultName keyvault -ObjectId $spnObjectId -PermissionsToSecrets get,list;
Rasmi
  • 501
  • 1
  • 6
  • 26

2 Answers2

0

I guess if it's the DevOps service connection that's missing the permissions. You can check access policies for the vault from the console.

You should see your service connection as an APPLICATION; it needs the GET and LIST privileges as the document your following says. You can set it by navigating to access policies under keyvault

Sajeetharan
  • 216,225
  • 63
  • 350
  • 396
0

Make sure the principle you select on the Access policies of the Key vault is same as that when you create the Service connection on Azure DevOps. Make sure the name and the ID are same.

If there are two or more principles have the similar or almost same names, you might confuse them. This may cause that when you set Access policies of the Key vault, you select a principle, but another one when you create the Service connection on Azure DevOps.

On Azure Portal, you can navigate to Azure Active Directory > App registrations, check if there are some principles with the same prefix but different suffixes in the their names.

For example: enter image description here

In this page, find and click the principle you want to use, copy its "Application (client) ID".

Then go to the Access policies of the Key vault, when adding principle, search the principle you want to use via its "Application (client) ID" you have copied.

When creating the Service connection on Azure DevOps, paste the "Application (client) ID" you have copied above into the Service Principal Id field.

In this way, it can make sure the principle is consistent.

[UPDATE]

Please try like as the steps below:

  1. On your local machine's PowerShell, follow the article "Create an Azure service principal with Azure PowerShell" to create a service principal in a specified Tenant on your portal.

  2. On Azure Portal, find the service principal you created above, copy its Application (client) ID and Client secrets (if no, create one).

  3. Go to set the Access policies of the Key vault, search and add the service principle you created above via its Application (client) ID, and make sure you have granted it the "Get & List" permissions.

  4. On Azure DevOps, create an Azure Resource Manager service connection and select the "Service principal (manual)" method. Make sure the Service Principal Id is same as the Application (client) ID of the service principal you created above, and the Service principal key is existing on this service principal. enter image description here

Bright Ran-MSFT
  • 5,190
  • 1
  • 5
  • 12
  • @Rasmi, How are thing going? Have you tried as my above suggestion? Is it helpful to you? Please try it, and any progress, feel free to tell me. – Bright Ran-MSFT Dec 07 '20 at 08:22
  • i tried all of them but did not work for me – Rasmi Dec 07 '20 at 18:25
  • @Rasmi, I have updated my above answer with more suggestions, please check it and have a try. Any progress, feel free to tell me. – Bright Ran-MSFT Dec 08 '20 at 09:15
  • The issue was my KeyVault was behind a firewall and the only way to workaround is available link https://github.com/MicrosoftDocs/azure-docs/issues/38914 – Rasmi Dec 09 '20 at 00:45
  • @Rasmi, Glad that you have solved the problem. If possible, could you please post an answer to share a summary about the reason of this problem and how you solve it? This may help more people who have the similar problems when they are looking for an answer. Thanks. – Bright Ran-MSFT Dec 24 '20 at 06:37