question

BaharulIslam-2413 avatar image
0 Votes"
BaharulIslam-2413 asked BrunoLucas-9843 edited

Logic App deployment using CI-CD pipeline using ARM template

Hi Expert ,

I am trying to export logic app from Dev environment and deploy to stage. I have followed https://github.com/jeffhollan/LogicAppTemplateCreator and extracted template & parameter file for logic app. And also able to deploy using ARM template in pipeline.
I have attached exported template & parameter file for easy reference. 204186-parameter.txt 204110-template.txt

Post deployment not able to run logic app , getting error as as below for connecting with Key Vault

 {
   "status": 401,
   "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.\r\nclientRequestId: 606cea5f-eae6-439c-bc1e-24952baef1ae",
   "error": {
     "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal."
   },
   "source": "keyvault-eus.azconn-eus-003.p.azurewebsites.net"
 }

I have checked status of API connection and it shows Status as Connected.

I have tried to make new connection manually using same client ID & Secret and its able to connect vault from logic app , so I think there is no permission issue with client ID/Secret.

Any pointer what can be checked for this issue.


azure-logic-apps
parameter.txt (8.2 KiB)
template.txt (16.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrunoLucas-9843 avatar image
1 Vote"
BrunoLucas-9843 answered BrunoLucas-9843 edited

Hi @BaharulIslam-2413 ,

After comparing the json of a functioning connection with the one originated by your templates, I notice the difference is this parameter
"resourceUri". You have it on both the template file and the parameter file. try to remove it. it worked for me.

Remove this bit in '204186-parameter.txt':

204423-image.png

and remove these 2 bits in the '204110-template.txt'

204389-image.png
204455-image.png




image.png (25.1 KiB)
image.png (24.2 KiB)
image.png (40.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @BrunoLucas-9843 for checking this. Yes after removing resourceUri its working fine.

Template generated by Get-LogicAppTemplate is having resourceUri , might be some issue either in API version or something else.

Thank you for your time in making it to work.

0 Votes 0 ·

@BaharulIslam-2413 Thanks for your response and glad to know that @BrunoLucas-9843 answer helped you to resolve the issue. Feel free to 'Accept as answer' so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

Hi @BaharulIslam-2413 ,

Glad it worked.

Those scripts that generate templates could go out of synch with changes in Azure if not maintained.


Could you please click "Accept as answer" if that fixed the problem? Thanks

0 Votes 0 ·
MOXiMOX-2301 avatar image
0 Votes"
MOXiMOX-2301 answered BaharulIslam-2413 commented

Hi
Does the pipeline service connection have access to the keyvault. If not create an access for this user with get and list.

Mox

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MOXiMOX-2301 , Thanks for comments.

For pipeline service connection , I can find there is application created in Azure AD with DevOps projectName, I have provided access permission to that app now, but still issue remains same. Is there any other way to check for pipeline service connection access ?

I have one question here , ID associated with pipeline should only have permission to create resource not access to to get or list right? To read secret from Vault , logic app is connecting with different access ID. Please correct if my understanding is wrong.


204275-pipeline-access-id.png
204323-vault-access-permission.png


0 Votes 0 ·
BrunoLucas-9843 avatar image
0 Votes"
BrunoLucas-9843 answered BrunoLucas-9843 edited

Is "stage" on the same tenant?

Are you recreating a complete resource group in stage?

if so, you should have a new Vault in stage. did you also add the access policy with the correct permissions to allow the logic app retrieve key/secret from the vault?

maybe the order you run your script may be removing the vault access policy?

https://www.c-sharpcorner.com/article/create-an-azure-key-vault-with-vault-access-policy-and-add-secrets-using-arm-tem/

The error you have may be the policy is there but is missing the right permission. What is the logic app trying to do to the vault? Read a secret? does the policy has "get" permission?

204230-image.png




image.png (100.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @BrunoLucas-9843 , Thanks for your feedback.

Yes , stage is on same tenant and same subscription.

I am creating new resource group for stage , however Key-Vault is still remain same to rollout ClientID access permission. So, when creating connection manually to same Key-Vault using same ClientID/Secret its able to work but when creating with earlier attached ARM template its get permission issue.

0 Votes 0 ·
MOXiMOX-2301 avatar image MOXiMOX-2301 BaharulIslam-2413 ·

The permissions for keyvault is controlled either by ad or access policy. If you create an access policy for the user you use running the pipeline with get and list permissions, it should work. It does not matter which resource group you target as long as the user has either permissions to access this resource group directly or inherited permissions from subscription.
Mox

0 Votes 0 ·
BrunoLucas-9843 avatar image
0 Votes"
BrunoLucas-9843 answered BaharulIslam-2413 commented

Hi @BaharulIslam-2413 , I tried 2 ways to block access to the vault. When I go to the Vault's network and block access to all networks, it throw a similar error but specific to IP blocking

 {
   "status": 403,
   "message": "Operation against key vault 'https://DFD-RTR-YUY.vault.azure.net/' failed as connector IP address is not authorized to call the vault. If you have configured firewall on the vault, please make sure the logic app IP addresses are allowed. Please see https://aka.ms/connectors-ip-addresses\r\nclientRequestId: f4a6f817-df83-484b-82dd-f1d3fc50ab81",
   "error": {
     "message": "Operation against key vault 'https://DFD-RTR-YUY.vault.azure.net/' failed as connector IP address is not authorized to call the vault. If you have configured firewall on the vault, please make sure the logic app IP addresses are allowed. Please see https://aka.ms/connectors-ip-addresses"
   },
   "source": "keyvault-cus.azconn-cus-001.p.azurewebsites.net"
 }

204276-image.png 204295-image.png

But if I go the vault and give no access or wrong permission to the policy, I get the same error message. what type of operation are you trying to perform? what permissions do you have? if seems correct, maybe the arm template has switched something to the wrong place? try switch the original and problematic logic apps to code view and look for anything it could be wrong


204351-image.png

 {
   "status": 403,
   "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.\r\nclientRequestId: b55f36bf-d3de-47bd-b277-4b3dbaf18d9f",
   "error": {
     "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal."
   },
   "source": "keyvault-cus.azconn-cus-001.p.azurewebsites.net"
 }

The only difference when i give wrong permission is the code

"401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource."

Sounds like your logic app vault connection is using an account that validate the connection but is either with a wrong password or failing to authenticate in same level

How are you testing that? Are you using something like postman. maybe an expired token : https://docs.microsoft.com/en-us/azure/key-vault/general/rest-error-codes#http-401-unauthenticated-request



image.png (7.3 KiB)
image.png (12.0 KiB)
image.png (16.4 KiB)
image.png (17.9 KiB)
image.png (117.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @BrunoLucas-9843 , @MOXiMOX-2301

I think there is no issue with API ID permission but issue is specifically with connection created using ARM template. I did below testing

1) Deleted all resources of stage resource group .
2) Deploy Logic app again using ARM (release pipeline) .
3) As observed earlier as well , Logic app is not able to retrieve secret from Vault . Its getting error of 401.
4) Added another step for Key Vault to get secret but created connection again (instead of using existing connection ) with same service principle connection details.
5) When run logic App its able to read secret for connection created manually but its failing with connection created using ARM template.
6) I have tried to edit Key vault connection with passing secret again (which is created in ARM template) but still not working.

Is there any known limitation for connection created using ARM template ?

204279-vault-connection.png


0 Votes 0 ·

I tried your templates and got the same problem. the 401. Will try to check it later with a clear head but something tells me the template is missing something when pointing to the vault.

0 Votes 0 ·

Thank you @BrunoLucas-9843 for you helping on testing on your side as well. Its good to know that its reproducible on your side as well. Please share if you can get any findings .

0 Votes 0 ·