Link secrets from an Azure Keu Vault as variables

Reginald H Pearson (z) 0 Reputation points
2023-04-20T14:19:58.3033333+00:00

Can't access and link secrets from Azure Key Vault as a variables using firewall "Allow public access through VNet and Ip address". Any suggestions how I can link them and pass the firewall? User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,150 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Alistair Ross 7,101 Reputation points Microsoft Employee
    2023-04-20T18:02:08.9033333+00:00

    Hello Based on the follow up information I can see you are trying to set variables in the DevOps library, but restrict network access to the key vault which is breaking connectivity. As Azure DevOps does not support private endpoints, you will need to configure the Key vault network settings to allow the Azure DevOps IP Address range for inbound connections. The list of IP ranges and their regions can be found here https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4#inbound-connections. It must be noted that the IP address ranges are update periodically. User's image

    One method I did find is to run a pipeline which keeps this IP address range up to date on your behalf using the CLI. It can be found here on Stack Overflow https://stackoverflow.com/questions/61411653/azure-devops-pipelines-library-access-azure-key-vault-key-vault-not

    Write-Host "Retrieve IPs for <region>"
    $aeServiceTags =  az network list-service-tags --location australiaeast | ConvertFrom-Json
    $aeRegion = $aeServiceTags.Values | Where-Object {$_.name -eq 'AzureCloud.<add the region name>'}
    $aeIps = $aeRegion.Properties.AddressPrefixes
    
    Write-Host "Filter by IPv4"
    $aeIps = $aeIps | ? { $_ -match '([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[.]([0-9]*[0-9]*[0-9]*)[/][0-9]+' }
    
    Write-Host "Adding the IP for the associated key vault"
    az keyvault network-rule add --name "<key vault name>" --ip-address $aeIps 
    

    At the end of the pipeline, delete the same IP to make sure it's updated

    Write-Host "Retrieve the current IP for this key vault"
    $buildIP = az keyvault network-rule list --name  "<key vault name>" | ConvertFrom-Json
    
    Write-Host "Remove the current IP for the associated key vault"
    az keyvault network-rule remove --name "<key vault name>" --ip-address $buildIP.ipRules.value
    

    I hope this helps Alistair

    1 person found this answer helpful.