使用vnet和防火墙保护Azure DevOps构建管道无法从Key Vault获得秘密 [英] Azure DevOps Build Pipeline can't get secrets from Key Vault when secured with vnet and firewall
问题描述
使用vnet和防火墙进行保护的Key Vault无法获得机密信息.
Can't get secrets from Key Vault when it's secured with vnet and firewall.
我想使用DevOps Build Pipeline任务中存储在密钥库中的机密,并且我想深入了解安全最佳实践和防御.作为安全性最佳实践,我希望可以从选定的虚拟网络,选定的Azure服务和受信任的Internet IP访问密钥库.当然,我会使用服务主体和适当的权限(列表/获取).
I would like to use secrets stored in key vault from DevOps Build Pipeline task and I would like to follow security best practice and defense in depth. As security best practice, I want key vault to be accessible from selected virtual networks, selected azure services and from trusted internet ip's. Of course, I would use a service principal and appropriate permissions (list/get).
不幸的是,Azure DevOps不是受信任的服务之一.因此,我的替代方法是将DevOps IP列入白名单.我发现我的DevOps位于美国东部2地区,并且我下载了Azure数据中心IP(使用美国东部2过滤).美国东部2区大约有285个IP.KeyVault防火墙对您可以添加的防火墙规则有限制,它是127个!所以,我很不走运!
Unfortunately, Azure DevOps is not one of the trusted service. So, my alternative is to white-list the DevOps IPs. I found out my DevOps is in US East 2 region and I downloaded Azure Datacenter IPs (filtered with US East2). There are about 285 IP's in US East 2. Key Vault firewall has a limit on how many firewall rules you can add and it's 127! So, I am out of luck!
目前,只有允许所有网络,我才能在构建管道中从密钥库中获取秘密!是的,我仍然必须进行身份验证才能获得这些机密,但我在深入防御中迷失了方向.我确实需要将密钥库锁定到受信任的网络,但我不能.为什么?我不能添加超过127条防火墙规则(以覆盖该区域),并且DevOps并不是值得信赖的Azure服务之一!
At the moment, I can get secrets from key vault at build pipeline only if I allow all networks! Yea, I still have to authenticate to get the secrets but I lost on defense in depth. I really need to lockdown the key vault to trusted networks but I can't. Why? I can't add more than 127 firewall rules (to cover the region) and DevOps is not one of the trusted azure services!
推荐答案
您可以在构建定义中添加一个步骤,以将代理IP地址列入白名单,然后在构建结束时将其从白名单中删除.这不是解决方案,而是一种解决方法,直到Azure产品团队将Azure DevOps添加为受信任的服务.感谢@DanielMann提供的想法.
You can add a step in the build definition to whitelist the agent IP address, then remove it from the whitelist at the end of the build. This is not a solution but a workaround until Azure product team adds Azure DevOps as a trusted service. Thanks to @DanielMann for providing the idea.
解决方案很简单,但是我不会信任ipify.org作为REST API端点来获取我的构建代理的IP地址.相反,我在Azure Function- GetClientIP 中创建了自己(受信任)的服务. DevOps不是我的日常工作,我很难弄清楚如何分配和使用用户定义的变量并将其传递到管道中的下一步/任务/阶段! Microsoft关于变量用法的文档不足以帮助我,但经过大量不成功的运行后,我才弄清楚了!
The solution is simple but I was not going to trust ipify.org as REST API endpoint to get my build agent’s ip address. Instead, I created my own (and trusted) service at Azure Function- GetClientIP. DevOps is not my day job and I was having hard time to figure out how to assign and use user defined variables and pass them on to next step/task/stage in pipeline! Microsoft documentation on variables usages was not helping me enough but I figured it out after lot of unsuccessful runs!
See the complete solution at my blog- Azure DevOps Build Pipeline- use keys and secrets from Key Vault.
这篇关于使用vnet和防火墙保护Azure DevOps构建管道无法从Key Vault获得秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!