5

I have created a Key Vault in Azure DevOps using ARM and I now want to write a secret to it within the same pipeline.

I created an Azure PowerShell task with the following inline PowerShell:

$secretvalue = ConvertTo-SecureString $(Secret) -AsPlainText -Force Set-AzureKeyVaultSecret -VaultName $(VaultName) -Name $(SecretName) -SecretValue (ConvertTo-SecureString $(Secret) -AsPlainText -Force)

The key vault gets created fine, but I get the following error when trying to write the secret:

[error]Access denied

If I run Set-AzureKeyVaultSecret on my local machine it works fine.

EDIT

Here are some screenshots of what I've done. In Azure DevOps I created a Service Connection and verified it:

enter image description here

Here's what my Azure PowerShell task looks like to write the secret to the vault:

enter image description here

enter image description here

enter image description here

Key Vault permissions:

enter image description here

enter image description here

Do I need a separate Service Principal or do I need to create an App Registration?

Improve this question

2 Answers 2

Reset to default
3

Pretty sure you gave rights to the wrong entity. To find the proper entity do this.

Click Manage link in the Azure Subscription field, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That was it! I also added the objectId to my ARM template parameters so when the key vault is deployed, Azure DevOps gets access to write secrets. All good.
2

Check your permissions for the service connection to ARM and permissions in your vault. Steps to check are here: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=vsts

Improve this answer

1 Comment

I did that and have edited my question to show the screenshots. It still is not working. Is there anything else I need to do with the Service Connection?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.