![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 60%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,411 questions
Hello
Based on the follow up information I can see you are trying to set variables in the DevOps library, but restrict network access to the key vault which is breaking connectivity.
As Azure DevOps does not support private endpoints, you will need to configure the Key vault network settings to allow the Azure DevOps IP Address range for inbound connections. The list of IP ranges and their regions can be found here https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4#inbound-connections. It must be noted that the IP address ranges are update periodically.
One method I did find is to run a pipeline which keeps this IP address range up to date on your behalf using the CLI. It can be found here on Stack Overflow https://stackoverflow.com/questions/61411653/azure-devops-pipelines-library-access-azure-key-vault-key-vault-not
Write-Host "Retrieve IPs for <region>"
$aeServiceTags = az network list-service-tags --location australiaeast | ConvertFrom-Json
$aeRegion = $aeServiceTags.Values | Where-Object {$_.name -eq 'AzureCloud.<add the region name>'}
$aeIps = $aeRegion.Properties.AddressPrefixes
Write-Host "Filter by IPv4"
$aeIps = $aeIps | ? { $_ -match '([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[/][0-9]+' }
Write-Host "Adding the IP for the associated key vault"
az keyvault network-rule add --name "<key vault name>" --ip-address $aeIps
At the end of the pipeline, delete the same IP to make sure it's updated
Write-Host "Retrieve the current IP for this key vault"
$buildIP = az keyvault network-rule list --name "<key vault name>" | ConvertFrom-Json
Write-Host "Remove the current IP for the associated key vault"
az keyvault network-rule remove --name "<key vault name>" --ip-address $buildIP.ipRules.value
I hope this helps Alistair
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 30%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)