Azure DevOps->管道->库->访问Azure密钥保管库->密钥保管箱不允许所有网络访问 [英] Azure DevOps -> Pipelines -> Library -> Access Azure Key Vault -> Key Vault not allowing access from all networks

问题描述

我们已经通过Service Connections(服务主体身份验证)在Azure DevOps和Azure Key Vault之间建立了连接.但是，为了使其正常工作，我们需要将Azure Key Vault-> Networking标记为允许来自:All networks".鉴于我们在这里存储了机密，我们想使用选项Private endpoint and selected networks代替，而将Allow trusted Microsoft services to bypass this firewall?设置为Yes.

We have set up a connection between Azure DevOps and Azure Key Vault via Service Connections (service principal authentication). However in order for it to work we need to have the Azure Key Vault -> Networking marked as Allow access from: All networks. Given that we store secrets here we would like to use the option Private endpoint and selected networks instead with Allow trusted Microsoft services to bypass this firewall? set to Yes.

赞:

但是，这会导致Azure DevOps->管道->库上的错误:

However this results in the error on Azure DevOps -> Pipelines -> Library:

指定的Azure服务连接需要具有获取，列出" 所选密钥库的机密管理权限.点击 授权"以使Azure管道可以设置这些权限或 在Azure门户中管理秘密权限.

The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal.

如果我们为Azure Key Vault设置允许来自:All networks的访问"，则它的工作方式如前所述，但我们希望避免这种情况.

If we set Allow access from: All networks for the Azure Key Vault it works as previously stated but we would like to avoid this if possible.

在管道中设置Azure Key Vault任务

Setting up an Azure Key Vault Task in Pipeline

或设置一个变量组，然后切换回Private endpoint and selected networks会导致部署时出现类似的错误.

or setting up an Variable group and then switching back to Private endpoint and selected networks results in a similar error on deploy.

MyKey:客户端地址未经授权，且呼叫者不受信任 服务.\ r \ n客户地址:111.222.333.44 \ r \ n来电者: appid = ; oid = 00000000-0000-0000-0000-000000000000; iss = https://sts.windows.net/ /\ r \ n保险柜: 我的保险柜；位置=北欧洲.指定的Azure服务连接 需要具有对选定对象的获取，列出秘密管理"权限 密钥库.要设置这些权限，请下载 生成/发布日志中的ProvisionKeyVaultPermissions.ps1脚本和 执行它，或从Azure门户进行设置."

MyKey: "Client address is not authorized and caller is not a trusted service.\r\nClient address: 111.222.333.44\r\nCaller: appid=;oid=00000000-0000-0000-0000-000000000000;iss=https://sts.windows.net//\r\nVault: My-Vault;location=northeurope. The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal."

客户地址都是新的，但是oid和iss的值是相同的.根据文档，只能将IPv4 address or CIDR添加到防火墙.有什么方法可以将Azure代理标记为受信任的Microsoft服务，或者这是一种不好的做法?不过，它确实比All networks更安全.

Client address is unfortunately new every time as expected but oid and iss values are the same. According to documentation only IPv4 address or CIDR can be added to the Firewall. Is there any way to mark Azure Agents as trusted Microsoft services or is this a bad practice? It does seem way safer than All networks though.

推荐答案

这仍然是一个未解决的问题-

This is still an open issue - Issue

URL中可能提到了某些解决方案

Probably some of the solutions are as mentioned in the URL

• 在您的代理的管道和白名单IP中添加一个任务，然后从keyvault获得值后，删除白名单.

• add a task in your pipeline and whitelist IP of your agent and then once you have the values from keyvault remove th whitelist.

也许每周都会白名单Azure DevOps IP列表，但这似乎还是不可靠

WhiteList Azure DevOps IP list weekly maybe but again that seems unreliable

@Grand的建议实际上也是解决方案之一.

What @Grand suggested is also one of the solutions actually.

这篇关于Azure DevOps->管道->库->访问Azure密钥保管库->密钥保管箱不允许所有网络访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！