Using Key-Vault RBAC (Role Based Access Control) in Azure Devops pipeline

Question

Question - Using Key-Vault in Azure Devops pipeline

I had Question for Using Key-Vault RBAC ( Role Based Access Control)

in Azure Devops pipeline.

1. I created Key-Vault in Azure Portal with Azure RBAC ( Role Based Access Control)
2. Also have added the Access Control (IAM) Policy - Key Vault Secrets User , Key Vault Secrets Officer , Key Vault Administrator for the Service Principal and my User-ID.
3. In the Resource-Group - Added Key Vault Secrets User, Key Vault Administrator for the Service Principal and my User-ID.
4. Created the Key and Secret.
5. In Azure Devops YAML File for the below AzureKeyVault task, after running the Devops PipeLine getting the below Error.

• task: AzureKeyVault@2 inputs: azureSubscription: 'xxxxx' KeyVaultName: 'xxxx' SecretsFilter: '*' RunAsPreJob: true

6. Error -

Downloading secrets using: https://azure-fabric-kv-test.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01.

##[error]Get secrets failed. Error: Caller is not authorized to perform action on resource.

If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.

Caller: appid=***;oid=XXX;iss=https://sts.windows.net/0xxxxxx/

Action: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'

Resource: '/subscriptions/4XXXXX/resourcegroups/XXXX/providers/microsoft.keyvault/vaults/XXXXX'

Assignment: (not found)

DenyAssignmentId: null

DecisionReason: null

Vault: aXXXXXX;location=eastus

. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal..

Uploading /home/vsts/work/1/ProvisionKeyVaultPermissions.ps1 as attachment

Finishing: AzureKeyVault

Answer 1

Hi Hitesh N

Could you please try the below steps to resolve this issue:

Modify the command like this:

$keyVaultSecret = (Get-AzKeyVaultSecret -VaultName "xxx" -Name "DBPass").SecretValueText
Write-Host "Value of keyVaultSecret: $keyVaultSecret"

Once you get the actual secret value, your encoding and decoding should work correctly:

$encodedSecret = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($keyVaultSecret))
Write-Host "Encoded Secret: $encodedSecret"
$decodedSecret = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encodedSecret))
Write-Host "Decoded Secret: $decodedSecret"

Hope this helps!

Please Let me know if you have any queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Answer 2

Hi Durga,

I followed the below steps but still facing the same issue the values of KeyVault are showing as ***. Can you please suggest.

1. In Azure Devops yaml file , added the below Azure KeyVault Task

YAML File below -

variables:

• group: azure-xxxx

steps:

• task: AzurePowerShell@5 env: SET_VALUE: $(DBPass)

task: AzureKeyVault@2

inputs:

azureSubscription: 'xxx'

KeyVaultName: 'xxx'

SecretsFilter: '*'

RunAsPreJob: true
And the above task is able to download the Secrets from the KeyVault screenshot below

![User's image](/api/attachments/e931ba88-6b1a-4f38-94d4-a0ab446efd90?platform=QnA)

2. . Created the Variable group , azure-xxxx and have linked the Secrets from the KeyVault and the DBPass Secret is available in the library group	

![User's image](/api/attachments/5cfea1cd-8e21-4c9d-ab4e-d24dbac18fbd?platform=QnA)



3. Powershell script  -- test.ps1

$library_var = $env:SET_VALUE

Write-Host "Values of library: $library_var"

Output 

***

****

1.

#$secret = (Get-AzKeyVaultSecret -VaultName "azure-fabric-kv-test" -Name "DBCred").SecretValueText

Write-Host "Value of secret from Vault1 ": $secret

Output

***

*** 

2.

$keyVaultValue = Get-AzKeyVaultSecret -VaultName "azure-fabric-kv-test" -Name "DBPass" -AsPlainText

Write-Host "Value of secret from $keyVaultValue ": $keyVaultValue

Output

***

***

Answer 3

Hi Hitesh N

Could you please try the below steps to resolve this issue:

1. Make sure that the Azure DevOps service principal has the necessary permissions to access the secrets in the Azure Key Vault. The service principal should have at least the "Get" permission for secrets.
2. Instead of retrieving the secret from an environment variable, try directly using the secret from Azure Key Vault in your script:

       $secret = (Get-AzKeyVaultSecret -VaultName "xxxx" -Name "DBPass").SecretValueText
         Write-Host "Unmasked Secret from Vault: $secret"
   

3. Can you structure your YAML like this:

      variables:
           group: azure-xxxx
         steps:
         - task: AzureKeyVault@2
           inputs:
             azureSubscription: 'xxx'
             KeyVaultName: 'xxx'
             SecretsFilter: '*'
             RunAsPreJob: true
         - task: AzurePowerShell@5
           env:
             SET_VALUE: $(DBPass)
           inputs:
             azureSubscription: 'xxx'
             ScriptType: 'InlineScript'
             Inline: |
               $library_var = $env:SET_VALUE
               Write-Host "Values of library: $library_var"
               # If you want to retrieve the secret directly
               $secret = (Get-AzKeyVaultSecret -VaultName "xxxx" -Name "DBPass").SecretValueText
               Write-Host "Value of secret from Vault1: $secret"
   

4. Instead of linking secrets in a variable group, try using direct Key Vault references in your pipeline:

      variables:
        - name: DBPass
          value: ${{ secrets.DBPass }}
   

5. Since Azure DevOps only masks known secret values, but not derived values (like Base64), you can encode them for inspection:

      $secret = Get-AzKeyVaultSecret -VaultName "xxx" -Name "DBPass" -AsPlainText
         $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($secret))
         Write-Host "Base64 Encoded Value: $encoded"
   

   If the Base64-decoded value is a secret, Azure may still mask it if it matches a known secret.
6. Alternatively, you can try the below script:

      $plain = "MySuperSecret123"
      $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($plain))
      Write-Host "Encoded: $encoded"
      $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
      Write-Host "Decoded: $decoded"
   

Hope this helps!

Please Let me know if you have any queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Answer 4

Hi Hitesh N

Could you please try the below steps to resolve this issue:

1. Ensure that the Service Principal used in your Azure DevOps service connection has the correct permissions on the Key Vault. It needs to have at least the GET and LIST permissions.
2. Navigate to KeyVaults -> Your Keyvault -> Access Configuration -> Permission Policy - Select Vault access policy -> Go to Access policies, add the Azure DevOps service principal with Get and List secret permissions.
3. In Azure DevOps, go to Project Settings > Service connections. Select the service connection you are using for Azure Key Vault. Ensure that the connection is valid and that it uses the correct Service Principal credentials.
4. Now, navigate to your Azure key vault. -> Access Control (IAM) -> Click add role assignment -> Select Key Vault Secrets User -> Click next -> Select Members -> Look for your Service Principal -> Review + Assign. And then, click Authorize again in DevOps.
5. Please refer to this doc: Using secrets from Azure Key Vault in a pipeline

You can also try to create a Variable Group in Azure DevOps:

• In Azure DevOps, go to Pipelines -> Library -> Click + Variable Group -> Select Link secrets from an Azure Key Vault as variables and select your subscription and the Key Vault -> Save.
• Now, use Variable Group in Pipeline:
  • In your YAML file, add a reference to the group name:

        variables:
        - group: my-variable-group
    

Additional References:

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations

https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=azure-pipelines-ui%2Cyaml

Hope this helps!

Please Let me know if you have any queries.

Answer 5

Thanks Durga for your response. Can you please help for the below issue for Key-Vault values.

I followed the steps mentioned above but was getting the below Issue the Secret of the Key-Vault is coming as *** but after Base64 encoding it shows correct encoded-value.

But in Azure Devops PowerShell was facing issue while decoding the Encoded Base64 Key-Vault value.

1. Then in PowerShell Script, to extract the Key-Vault values with the below command

$keyVaultValue = (Get-AzKeyVaultSecret -VaultName "xxx" -Name "DBPass")

Write-Host "Value of Value": $keyVaultValue

---- Output

Value of keyVaultValue : ***

After Encoding in Base64 for the above value of (keyVaultValue) getting the correct encoded-value. Checked in the base64 decode website (https://www.base64decode.org/) by encoded-value to check the decoded-value. ( Decoded-value is correct)

Encoded-Value

$encodedSecret = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($keyVaultValue))

Write-Host "Value of encodedSecret" $encodedSecret

---Output - for-example

Value of encodedSecret - CVZZ==

Decoded-value

$decodedvalue = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('CVZZ=='))

Write-Host "Value of DecodedSecret" $decodedvalue

---- Output

Value of decodedvalue : ***