How to make an integration between azure pipeline and azure key vault?

Question

How to make an integration between azure pipeline and azure key vault?

NSRD (Simon Prisholm Skrøder) 0

I get this error when I try to make a integration between a pipeline and azure key vault:

Failed to create an app in azure active directory. error: insufficient privileges to complete the operation in Microsoft graph ensure that the user has permissions to create an azure active directory application.

What should I do?

Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-16T10:36:23.49+00:00
Hi Simon, Can you elaborate more context? like:

Which kind of integration are you doing? query secret from keyvault, create keyvault vaults, secret and keys? https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops&tabs=yaml

Are you using a service principal or did you create the service connection with your user from azure devops project configuration?

Do you need to use the secret / key read from key vault in another step in azure devops?.

Cheers, Luis
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-16T10:59:38.2833333+00:00

Hi Luis, thanks for your answer!

I need to use the secret from key vault in a script that is currently storing the secret inside the code. But it looks like I do not have the permissions to do that.

Hope you are able to help!
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-12-07T15:43:23.8733333+00:00

@NSRD (Simon Prisholm Skrøder)

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-12-12T08:45:05.1533333+00:00

No, Unfortunately we are still struggling to figure it out.

1 answer

Your answer

Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-16T10:36:23.49+00:00

Hi Simon, Can you elaborate more context? like:

Which kind of integration are you doing? query secret from keyvault, create keyvault vaults, secret and keys? https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops&tabs=yaml

Are you using a service principal or did you create the service connection with your user from azure devops project configuration?

Do you need to use the secret / key read from key vault in another step in azure devops?.

Cheers, Luis
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-16T10:59:38.2833333+00:00

Hi Luis, thanks for your answer!

I need to use the secret from key vault in a script that is currently storing the secret inside the code. But it looks like I do not have the permissions to do that.

Hope you are able to help!
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-12-07T15:43:23.8733333+00:00

@NSRD (Simon Prisholm Skrøder)

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-12-12T08:45:05.1533333+00:00

No, Unfortunately we are still struggling to figure it out.

Answer 1

Luis Arias 8,621 Volunteer Moderator

Hi Simon,

You can test your access to the secret by az cli before use in pipeline :
Using a personal account:

az keyvault secret show --name "<Your Secret Name>" --vault-name "<Your Key Vault Name>" --query value --output tsv

Using Service principal:

#Login with your Service principal
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

az keyvault secret show --name "<Your Secret Name>" --vault-name "<Your Key Vault Name>" --query value --output tsv

Let me know your output. if there is a problem with rbac permission you can add your user to Key Vault Administrator role , Please note that the Key Vault Administrator role only works for key vaults that use the ‘Azure role-based access control’ permission model.

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Cheers,

Luis

Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-21T11:32:56.51+00:00

Hi @NSRD (Simon Prisholm Skrøder), Let me know if the answer help you or if you need more help.

Thanks Luis
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-28T09:40:03.7566667+00:00

Thanks for the answer Louis!
I am not able to see the service principal ID.. Do you know how I can find that? I am not able to see it in service connections in Azure DevOps
Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-28T10:04:46.7466667+00:00

Hi Simon, you can see your service principal configuration in your azure devops project going to Project settings > Service connections > Select the service connection that you want to edit > In the Overview tab click on Manage Service Principal

You will be redirect to azure portal with the service principal object and you can see all information there. Let me know if it's working for you.
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-28T11:23:39.57+00:00

Hi Luis!
I am not able to click on Manage Service Principal

It is like the URL does not work..

Thanks,
Simon

Luis Arias 8,621 Volunteer Moderator

Hi Simon , that's because you probably doesn't have permission to read object on you Entra ID(Azure AD). A tip&trick workaround is using a pipeline with a task to print the information that you are looking for:

- task: AzureCLI@2
  continueOnError: true
  inputs:
    azureSubscription: <Your service Connection>
    scriptType: pscore
    addSpnToEnvironment: true
    scriptLocation: inlineScript
    inlineScript: |
      az account show
      az ad sp show --id $env:servicePrincipalId
      Write-Host "<============ DEBUG SERVICE PRINCIPAL ID - 2 Pieces ===============>"
      Write-Host "$($env:servicePrincipalId.Substring(0,$env:servicePrincipalId.Length/2))"
      Write-Host "$($env:servicePrincipalId.Substring($env:servicePrincipalId.Length/2))"

This will show you at least the Name and ID. Cheers Luis

NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-28T13:38:20.1633333+00:00

Thanks again,

Then I get this error: __
There was a resource authorization issue:__ "The pipeline is not valid. Job Job: Step AzureCLI input connectedServiceNameARM references service connection could not be found"..
Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-28T13:52:26.1433333+00:00

Hi Simon, try to use an existing pipeline with permission over this service connection (You can create another branch to not impact your current work), verify that the service connection name is the right one.
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-28T13:55:33.94+00:00

Hi again,

But I think the whole issue stems from not having permission over this service connection.. And we do not know how to get it ..
Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-28T13:57:42.1033333+00:00

Hi Simon, In that case you definitely need to request the permission from your Azure devops administrator.
NSRD (Simon Prisholm Skrøder) 0 Reputation points

2023-11-28T14:00:31.8366667+00:00

The administrator does not have the access to create the service connection as well..
Luis Arias 8,621 Reputation points Volunteer Moderator

2023-11-28T14:08:53.9666667+00:00
This kind of configuration required administrative privileged let me share you some additional information to manage and create service connections on Azure DevOps:

Service connections in Azure Pipelines: This link provides a comprehensive guide on how to manage service connections in Azure Pipelines. It includes information on prerequisites, how to create, edit, and secure a service connection.

Connect to Microsoft Azure with an ARM service connection: This link provides detailed steps on how to connect to Microsoft Azure with an Azure Resource Manager (ARM) service connection.

Creating an Azure Service Principal for use with an Azure Resource: This link provides steps on how to create an Azure Service Principal for use with an Azure Resource.

Troubleshoot Azure RM service connection issues: This link provides troubleshooting steps for Azure Resource Manager service connection issues.

Create a service connection and build and publish Docker images to Azure Container Registry: This link provides steps on how to create a service connection and build and publish Docker images to Azure Container Registry.

How to automatically create a service connection in azure devops: This link provides information on how to automatically create a service connection using the az cli and the az devops service-endpoint command.

How to create a service connection for Azure in Azure Devops: This link provides steps on how to create a service connection for Azure in Azure DevOps.

Finally if there is nobody with the required permission you can create a support ticket following these steps:

Visit the Microsoft Azure Support Ticket

Follow the instructions to create and manage support requests for Azure DevOps Services
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-11-28T21:23:49.8266667+00:00

Hello @NSRD (Simon Prisholm Skrøder) , can you share full error details? Also, what Entra ID and Azure DevOps roles or groups does you user belong to?

Share via

How to make an integration between azure pipeline and azure key vault?

1 answer

Your answer