I want to create a key vault that will store a TLS certificate. This key vault needs to be accessible from Azure pipeline tasks, which will retrieve the said certificate and bind it to their apps. Microsoft mentions:
By default, 'Microsoft.Azure.WebSites' Resource Provider (RP) doesn't have access to the Key Vault specified in the template hence you need to authorize it by executing the following PowerShell commands before deploying the template:
Login-AzureRmAccount Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
This works for my key vault when I do it manually. However, I want to automate this as part of my master pipeline. I've tried defining this task:
- task: AzurePowerShell@5
displayName: 'Set key vault policy'
inputs:
azureSubscription: …
azurePowerShellVersion: 'LatestVersion'
ScriptType: 'InlineScript'
Inline: |
Set-AzKeyVaultAccessPolicy -VaultName … -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
But it fails:
##[error]Operation returned an invalid status code 'Forbidden'
I've also noticed that this service principal for "Microsoft Azure App Service" isn't even available to my task; the following prints a blank:
$azureAppServicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
Write-Output "azureAppServicePrincipalId = $($azureAppServicePrincipal.Id)"
Is there a way of making this service principal accessible to my pipeline?
When i tested with parameter
Set-AzKeyVaultAccessPolicy -ServicePrincipalName other-service-principal
. I get the same error.You can use ObjectId and add the
-BypassObjectIdValidation
parameter inSet-AzKeyVaultAccessPolicy
command as workaround. See the Note on this document.The Object id is the ObjectId resides in
Managed application in local directory
You can also use below Az cli command in the Azure CLI task
For the command
Get-AzADServicePrincipal
was not returning any results. It is probably the service principal associated with your ARM connection service donot have theRead Directory Data
permission in the Microsoft GrapYou can try go to the Api permissions of your service principal app and add the proper permission. It may require your Admin's consent. See this thread and this for information.