Hi,
we are using Azure DevOps with hosted agent to deploy one app. In the deployment process we are using some vault secrets. Vault is with private endpoint.
When we run the pipeline from the hosted agent with version 3.240.1 we cannot access the vault. We get:
ClientID: "Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=5a3a.....908f73;iss=https://sts.windows.net/36da4.....99921/\r\nVault: kv-qrm-02;location=westeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."
Authority: "Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=5a3a.....908f73;iss=https://sts.windows.net/36da4.....99921/\r\nVault: kv-qrm-02;location=westeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."
Scope: "Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=5a3a.....908f73;iss=https://sts.windows.net/36da4.....99921/\r\nVault: kv-qrm-02;location=westeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."
ApiEndPoint: "Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=5a3a.....908f73;iss=https://sts.windows.net/36da4.....99921/\r\nVault: kv-qrm-02;location=westeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."
Uploading D:\myagent_225\_work\1\ProvisionKeyVaultPermissions.ps1 as attachment
however, on the 3.225.0 agent it works without any pipeline change.
We are using the same azure devops agent all the time, agents are installed on the same partition. What can cause this issue?
Thanks,
Victor
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 77%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)