0

TL&DR - My DevOps release pipeline keeps failing with 'does not have secrets list permission on key vault

I am stumped with this one, and asking for help, please.

The Error

2023-06-07T07:12:53.7594988Z ##[error]Get secrets failed. Error: The user, group or application 'appid=***;oid=b5a[REDACTED];iss=https://sts.windows.net/292[REDACTED]/' does not have secrets list permission on key vault 'kv-d-chatgeni;location=australiasoutheast'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal..

Data

The service principle for devops is

Object Value
Application (client) ID 14e[REDACTED]
Object ID a7e[REDACTED]
Application (client) ID 292[REDACTED]

I noticed that the Object ID in KeyVault is b5a[REDACTED], but same Application (client) ID

I ran the following command on the Object ID reported

az role assignment create --role "Key Vault Secrets User" --assignee b5a[REDACTED] --scope /subscriptions/ade[REDACTED]

I even tried with the Application ID of the Service Principle as I noticed that Access Policies use the Application ID

az role assignment create --role "Key Vault Secrets User" --assignee  14e[REDACTED] --scope /subscriptions/143[REDACTED]

My Tenant ID: 292\[REDACTED\]

TASK

steps:
- task: AzureKeyVault@2
  displayName: 'Azure Key Vault: kv-d-[REDACTED]'
  inputs:
    azureSubscription: 'app-[REDACTED]'
    KeyVaultName: 'kv-d-[REDACTED]'
    RunAsPreJob: true

Other

  1. I have given Contributor Role on subscription to b5a[REDACTED]
  2. My KeyVault is set to use RBAC
  3. I created another test KeyVault with Access Policies, and gave object List, Get permissions. It worked fine in the build pipeline, unfortunatly our production environment uses RBAC.

I am stumped. I have read tons of posts, many are Access Policy driven. The RBAC ones are vague and ambiguous.

I am stumped. I have read tons of posts, many are Access Policy driven. The RBAC ones are vague and ambiguous.

Improve this question
0

1 Answer 1

Reset to default
1

When I used Vault-access policy as Access configuration without assigning policy to service principal, I got same error while running same DevOps task as you:

steps:
- task: AzureKeyVault@2
  displayName: 'Azure Key Vault: [REDACTED]'
  inputs:
    azureSubscription: '[REDACTED]'
    KeyVaultName: '[REDACTED]'
    RunAsPreJob: true

Response:

enter image description here

If you are using RBAC as Access configuration, you need to assign proper role to Azure DevOps service principal.

To assign role to service principal, you need to pass objectID of it in CLI command.

You can find objectID of that service principal in Enterprise Applications of your tenant by searching with it's name like below:

enter image description here

I have key vault named srikv07 with Access configuration set to RBAC like below:

enter image description here

Now, I ran following CLI command by including objectID of service principal and assigned Key Vault Secrets User role to it successfully like this:

az role assignment create --role "Key Vault Secrets User" --assignee 6431c433-d0a2-4662-a267-xxxxxxxx  --scope /subscriptions/b83c1ed3-c5b6-44fb-b5ba-xxxxxxxx

Response:

enter image description here

When I ran same DevOps task as you with that service principal, I got the results successfully like below:

steps:
- task: AzureKeyVault@2
  displayName: 'Azure Key Vault: [REDACTED]'
  inputs:
    azureSubscription: '[REDACTED]'
    KeyVaultName: '[REDACTED]'
    RunAsPreJob: true

Response:

enter image description here

In your case, make sure to pass objectID of service principal that can be found in Enterprise applications of your tenant.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for taking the time to reply @Sridevi, much appreciated. I will try this out over the weekend.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.