I made keyvault private Networking Blade in Keyvault
So when i tried to execute release pipeline it saying error like Error Mail
what will be the solution for this problem. How can we access the keyvault secrets if we made private?
Asked
Active
Viewed 515 times
0
Sumanth Reddy
- 5
- 3
-
Hi Sumanth Reddy; can I suggest an [Edit](https://stackoverflow.com/posts/75400241/edit)? If you describe your question entirely in text – e.g. by copying and paste the error details instead of taking a screenshot – it will make it more readable, and more indexable etc. – Vince Bowdren Feb 17 '23 at 17:17
2 Answers
0
I have tried to repro the same using the below steps and got positive results.
Step 1: Create Azure key vault and change network settings to Allow public access from specific virtual networks and IP addresses.
Step 2: Identify the region of your organization in your Ado organization settings as shown below.
When running the pipelines, if you choose the azure hosted agent, it will pick the agents from the location where the organization was hosted. In my case, it is Central US.
So, to establish the connectivity between the Azure key vault and ADO agents we must whitelist all the IP addresses of those agents in the Central US in the networking tab of the Azure key vault.
Kindly go through this link for detailed steps to help in identifying IP addresses.
You can download a JSON file from this link which contains the IP addresses of the azure hosted agents in the Azure key vault.
Step 3: Add the Azure key vault task and run the pipeline to see the result.
kavyaS
- 8,026
- 1
- 7
- 19
RohitVarun
- 68
- 3
-
Hi RohitVarun/kavyaS I think the Ip's will change weekly and how can we overcome this, and also we have so many Ip addresses in that file and in the networking section we have a limit for adding IP's . Have you gone through any of these issues? – Sumanth Reddy Feb 13 '23 at 04:37
-
(So, to establish the connectivity between the Azure key vault and ADO agents we must whitelist all the IP addresses of those agents in the Central US in the networking tab of the Azure key vault) WhiteList all IPs means there are names like 'azurekeyvault', 'AzureOpenDatasets', 'AzurePortal' etc.. in the IP address ranges file downloaded from microsoft site , which IP's needs to be whitelisted under which names? Please help me with this issue. – Sumanth Reddy Feb 13 '23 at 11:06
0
I am adding this answer as per your last comment. Do let me know if it works or I will remove it.
Yes, the IP addresses will change weekly as per this Microsoft documentation Microsoft-hosted agents for Azure Pipelines - Azure Pipelines | Microsoft Learn. So, it is recommended to check frequently at least once a week. If your Ado pipeline fails in the key-vault step, the first action is to verify the whitelisted IP addresses with the newly published weekly JSON file (which contains IP addresses).· I didn’t find any issues while adding IPs in the key vault.· (For the second comment)
Step 1: Download and open the file in notepad or any other text editor.
Step 2: Hit ctrl+f and enter ado organization location as an input. In my case, it is Central US.
Add only IPV4 addresses as the key vault not accepting IPV6 addresses today.
Note: As per the Microsoft documentation, we must add all the IPs of the machines in that geography where the devops organization was hosted. Please see the below screenshot. But for me it is working, only if I add only regional addresses also.
Sourav
- 814
- 1
- 9
-
Yes I understand now that we need to add AzureCloud.OurRegion but having nearly 550 IP ranges in my region, do we need to all 550 IP addresses in our keyvault? or any alternate solution. 550+ IP ranges in only in East US2. – Sumanth Reddy Feb 14 '23 at 10:28