Azure Key Vault - Managing Access Permissions for ...
# help-with-otherp
Prenders
02/14/2024, 11:22 AMI'm in the process of exploring whether Azure Access Control (IAM) can be used for authenticating DevOps to read Key Vault secrets.
I've successfully managed this previously using the "older" Access Policies - granting 'Get, List' permissions, but I'm looking to transition to a modern role based Access Control if possible.
Has anyone managed to successfully implement Access Control (IAM) for this purpose?
The Azure Subscription is set up with the following roles:
- Key Vault Secrets Officer
- Key Vault Secrets User
However, I'm encountering an issue when attempting access, receiving the error message:
"The specified Azure service connection requires 'Get, List' secret management permissions for the target key vault."
For context, the initial Access Policy configuration was based on the guidelines from this blog:
https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/
Prenders
02/14/2024, 11:23 AM@Matt Wise I know you had a similar post recently and the access worked after waiting. I wonder if there is some sort of delay after granting roles?
Prenders
02/14/2024, 11:54 AMDigging a bit more into this and I think this is more 'Firewall and virtual network' configuration "issue" on the Key Vault.
I can get the RBAC to work when it is set to "Allow public access from all networks" - which I'd rather not do 😅
Having it set to "Allow public access from specific virtual networks and IP addresses" with "Allow trusted Microsoft services to bypass this firewall" checked - fails to work.
I'll continue tinkering, but if anyone has some golden nuggets of help - I will be indebted!
m
Matt Wise
02/14/2024, 12:15 PMI'll double check my configuration. One word of warning certificates are not supported for app services using RBAC
Matt Wise
02/14/2024, 12:15 PMI discovered this after a day of wtf WHY
p
Prenders
02/14/2024, 12:27 PMThank you!
I've found this Stack Overflow on the Firewall connection settings which could be useful:
https://stackoverflow.com/questions/50968613/cannot-acces-keyvault-secrets-through-service-endpoint-in-a-vsts-release
Prenders
02/14/2024, 12:47 PMSuccess! 🎉
This was not an issue with the RBAC - Access Control (IAM) at all.
Got this working by switching the Key Vault to use 'Azure role-based access control' under Settings-> Access configuration
... then assigning the 'Key Vault Secrets User' to the Azure Subscription service principal.
The actual issue I was facing was in the Firewall configuration under Settings->Networking
I needed to add the Azure DevOps region IP.
So set to 'Allow public access from specific virtual networks and IP addresses'
... then add the UK South IP to the Firewall - obtained here: https://github.com/MicrosoftDocs/azure-devops-docs/blob/main/docs/organizations/security/allow-list-ip-url.md
The above Stack Overflow got me in the right direction.
https://cdn.discordapp.com/attachments/1207285780263866398/1207307033410535444/image.png?ex=65df2b4b&is=65ccb64b&hm=faf248721bd1d2cee4b8f003ddcd0d74da43c07a499d5463dc69faf0f9b07053&
https://cdn.discordapp.com/attachments/1207285780263866398/1207307033657741342/image.png?ex=65df2b4b&is=65ccb64b&hm=2de8241fd1db57610181bbc06e541793dfd1cb7112ec72886657363748043f56&
Prenders
02/14/2024, 1:12 PMJust reopening this as I've hit the next stumbling block.
The DevOps now can access fine (for configuration purposes) based on the above, however, the Secret is actually used in a Release Pipeline.
The pipeline will be running on some dynamic build agent, so will have a different (and ever changing) IP.
I'm going to investigate to see if the DevOps build agents have a preconfigured IP range.
Prenders
02/14/2024, 1:22 PMJust dropping a link to this blog which has a solution, but not the most simple one 😅
https://luke.geek.nz/azure/accessing-keyvault-azure-devops/
Essentially they are suggesting obtaining the IP of the build agent when it runs, then add it as an allowed IP via the 'az' client, and then remove it after. Jeez!
I'm going to role roll with opening up the firewall to get things moving and putting trust in the IAM access security.
I think the way forward will be to have a hosted build agent with a static IP... but open to other suggestions 🙂
2 Views