0

In my devops pipeline, I have this task:

- task: AzureKeyVault@2
  displayName: 'Fetch secrets from KeyVault used in Deploy stage'
  inputs:
    azureSubscription: '$(AzureServiceConnectionName)'
    KeyVaultName: '$(AzureKeyVaultName)'
    SecretsFilter: '*'  # Fetch all secrets
    RunAsPreJob: true
# Note: all the variables above are correctly resolving.

RunAsPreJob is set to ´true´ because I want to be able to use some secrets as variables in a few tasks after this one (but inside the same job, of course).

The problem is that when it tries to run as a pre-job, it throws the error:

Pre-job: Fetch secrets from KeyVault used in Deploy stage

View raw log

Starting: Fetch secrets from KeyVault used in Deploy stage
==============================================================================
Task         : Azure Key Vault
Description  : Download Azure Key Vault secrets
Version      : 2.249.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
==============================================================================
SubscriptionId: <not-the-actual-value>.
Key vault name: <not-the-actual-value>.
Downloading secrets using: https://<not-the-actual-value>.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01.
##[error]Get secrets failed. Error: Client address is not authorized and caller is not a trusted service.
Client address: <not-the-actual-value>
Caller: appid=***;oid=<not-the-actual-value>;iss=https://sts.windows.net/<not-the-actual-value>/
Vault: <not-the-actual-value>;location=westeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal..
Uploading /home/vsts/work/1/ProvisionKeyVaultPermissions.ps1 as attachment
Finishing: Fetch secrets from KeyVault used in Deploy stage

I have successfully run that script which added this to the keyvault's access policies: enter image description here

Then I re-ran the pipeline but the error still remains... I also added this access policy manually to key vault and re-ran the pipeline to no avail...

Additionally, attempting a workaround, I tried adding a Variable group linked to the key vault: enter image description here as you can see, with no success...

I am a bit lost by now and without any more clues to what might the problem be.

Note: I have run this keyvault task with RunAsPreJob: false in the past and it went ok.

Improve this question
3
  • 1
    This might help: learn.microsoft.com/en-us/azure/devops/pipelines/release/… Commented Feb 11 at 19:49
  • 1
    Hi, as you said when you run the keyvault task with RunAsPreJob: false, it went ok, can you please enable the variable “system.debug”(set the value to “true”) in your pipeline, then trigger new runs and share the detailed logs of both success run and failed run? This helps to narrow down the issue. Commented Feb 12 at 7:08
  • 1
    The Error: Client address is not authorized and caller is not a trusted service is the same as this question. Please check if you have set firewalls and virtual networks setting. If you are using self-hosted agent and have enabled that setting, you can add the client IP of your agent in your Azure keyvault Commented Feb 12 at 8:12

2 Answers 2

Reset to default
1

Ultimately, what solves this permissions error is what was said in the comments: the IP of the agent has to be added to the key vault's firewall. So I added it, fetched the secrets and afterwards removed the IP, like this:

- task: AzureCLI@2
        displayName: 'Allow agent IP'
        inputs:
          azureSubscription: '$(AzureServiceConnectionName)'
          scriptType: 'bash'
          scriptLocation: 'inlineScript'
          inlineScript: |
            # Get the agent's public IP
            ip=$(curl -s http://ipinfo.io/json | jq '.ip' | tr -d '"')

            # Add the IP to the Key Vault network rule
            az keyvault network-rule add \
              --name "$(AzureKeyVaultName)" \
              --resource-group "$(AzureResourceGroupName)" \
              --ip-address $ip

            # Set the IP as a pipeline variable
            echo "##vso[task.setvariable variable=agentIP]$ip"

      - task: AzureKeyVault@2
        displayName: 'Fetch secrets from Azure KeyVault'
        inputs:
          azureSubscription: '$(AzureServiceConnectionName)'
          KeyVaultName: '$(AzureKeyVaultName)'
          SecretsFilter: '*'  # Fetch all secrets
          RunAsPreJob: false

      - task: AzureCLI@2
        displayName: 'Remove agent IP from KeyVault Firewall'
        inputs:
          azureSubscription: '$(AzureServiceConnectionName)'
          scriptType: 'bash'
          scriptLocation: 'inlineScript'
          inlineScript: |
            az keyvault network-rule remove \
              --name "$(AzureKeyVaultName)" \
              --resource-group "$(AzureResourceGroupName)" \
              --ip-address $(agentIP)

Unfortunately, I couldn't make this work with RunAsPreJob: true like I intended at first... so I had to run the task with RunAsPreJob: false. This meant that I had to put all of the subsequent tasks that needed to access any key vault variables in the same job.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

in devOPs portal(or any),-->Libraries-->Variable group-->azure sub and Keyvalut name(we get error)

-->Project setting-->service connection-->visualstudio(click) -->manage id reg(small blue)--cpy the id

In keyvault -->iam access,give access(Get,List)-->error will be resolved-->in devops add the Variable groups

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.