Azure DevOps：从具有IP限制的Azure Key Vault链接机密 - 授权失败？ [英] Azure DevOps: Link secrets from an Azure Key Vault with IP restrictions - authorization fails?

问题描述

我们遇到的问题是将密钥保管库中的密钥链接到Azure DevOps中的变量组。

We are having issues with linking secretes from a Key Vault into a variable group in Azure DevOps.

基本上我们有一个具有IP限制的密钥保险库，并且还连接到VNET。它还具有"允许受信任的Microsoft服务绕过此防火墙"。设置已启用。 Azure DevOps不是其中列出的服务之一。

Basically we have a Key Vault with IP restrictions and also connected to VNET. It also has the "Allow trusted Microsoft services to bypass this firewall" setting enabled. Azure DevOps is not one of the services listed in those.

Azure DevOps中使用的服务端点在密钥保管库的访问策略中启用了正确的权限（获取/列出机密）。我们已经测试并验证了如果我们禁用IP限制，那么从密钥保险库中链接Azure
DevOps中的秘密没有问题。因此，此问题必须专门针对Key Vault的IP限制和Azure DevOps不兼容性。

The Service Endpoint used in Azure DevOps has the correct permissions (Get/List secrets) enabled in the Key Vault's Access policies. We have tested and verified that if we disable the IP restrictions there is no issue / problems with linking secrets in Azure DevOps from the Key Vault. So this issue has to do specifically with Key Vault's IP restrictions and Azure DevOps incompatibility.

是否有可行的解决方法？

Is there any feasible workaround for this?

我觉得很奇怪，在官方文档中没有提到这一点

I find very strange that there is no mention about this in the official documentation

https://docs.microsoft.com / en-us / azure / devops / pipelines / library / variable-groups？view = azure-devops& tabs = yaml＃link-secrets-from-an-azure-key-vault

https://docs.microsoft.com/en -us / azure / key-vault / key-vault-network-security

BR

Masi Malmi

BR
Masi Malmi

推荐答案

我相信您受Azure Key Vault访问策略的限制，您可能需要向DevOps项目的服务主体提供显式权限ct从您的密钥保险库访问密钥/密钥。 请使用以下命令设置Azure
密钥保管库访问策略 -  

I believe you are restricted by Azure Key Vault access policy and you may need to give explicit permissions to the Service Principal of your DevOps project to access Keys/Secrets from your key vault.  Please use the below command to set up the Azure Key Vault Access policy - 

spn = Get-AzureRmADServicePrincipal - spn<<< DevOpsSPN>>

Set-AzureRmKeyVaultAccessPolicy -VaultName<< KeyVaultName>> -ObjectId

spn= Get-AzureRmADServicePrincipal -spn <<DevOpsSPN>>
Set-AzureRmKeyVaultAccessPolicy -VaultName <<KeyVaultName>> -ObjectId

spn.Id -PermissionsToSecrets get，list;

您可以找到<<<<<> DevOpsSPN>>转到DevOps项目设置>管道>服务连接并点击"更新服务连接"。 

spn.Id -PermissionsToSecrets get,list;
You can find the <<DevOpsSPN>> by going to your DevOps Project Settings > Pipelines > Service Connections and click on "Update Service Connection". 

这篇关于Azure DevOps：从具有IP限制的Azure Key Vault链接机密 - 授权失败？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！