How do I to set permissions on Azure Key Vault for an Azure DevOps variable group to recognise them?

Question

I am trying to configure a variable group in Azure DevOps that uses an Azure Key Vault to store values we need in pipelines.

I have created a service connection to the subscription, using both a manual Service Principal and an automatic federated connection. When I save the Service Connection it verifies that the connection is successful.

When I go to create the variable group and use either service connection, I get a list of the key vaults it can see. However when I select one of them it tells me that I do not have Get, List as permissions for the SP that I am using. However this is not the case, as the following screen shots show.

But the variable group still does not have permissions, and I cannot Save it to see if would work after the fact.

I looked at trying to create this at the command line, but it appears that I am not able to create a vraibale group backed by an Azure KV using the command line.

Has anyone seen this before and if so did you fix it?

Answer 1

Hello
I have fixed this now.

I was talking to a colleague and he suggested that it might be because the KV was empty, rubbish iof this was the case, but it was worth a try.

I then needed to add a policy for my user to be able to see the secrets, and then it came up with the message that I could not see the secrets because the firewall was turned on and my IP address was not on the allowed list.

After I modified the option to "Allow public access from all networks" I was able to create a variable group using the KV as a backend.