Cannot find a read write access key for the Azure App Configuration while importing keys

Question

I am trying to import App configuration key values using DevOps CICD Pipelines. App configuration had

• Private Endpoint enabled, disabled public access. private DNS zone contains A recordset of app configuration.(private IP address of azure app config added to private dns zone.)
• Access keys are toggled off and using managed identity
• DevOps: Had set up a self-hosted agent using a virtual machine that belongs to the same VNET and subnet as the app configuration private endpoint.
• RBAC: Devops service principal has RBAC azure roles Owner and Azure App Configuration Data Owner
• Subnet has associated with NSG and its rules are shown in snapshot.
• Had enabled managed identity of app configuration.

az appconfig kv import --profile appconfig/kvset --name <your store name> --source file --path appconfigdata.json --format json

Issue: At first App configuration is public access and used Microsoft Agent pipelines for importing and it was success. Later decided to secure access using private endpoint, So I followed all above steps and ensure everything is aligned correct. Whenever I run the pipeline, I get below issue. I explored a lot on this issue and yet unable to find the root cause.

What am i missing?

ERROR: Cannot find a read write access key for the App Configuration

YAML:

steps:
- task: AzureCLI@2
  displayName: 'Azure CLI - Update AppConfig'
  inputs:
    azureSubscription: 'Test-SPN-NonProd'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     az appconfig kv import -n $(tst-appconfigName) -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
     
     
     
    workingDirectory: '$(System.DefaultWorkingDirectory)/AzureFunctionShared/drop/AppConfig'
  condition: succeededOrFailed()

Answer 1

I can reproduce the issue with the same settings as you.

 

The cause is that the default value of the --auth-mode parameter is key. It tries to retrieve the account access keys for authorization by default if you don't specify another value for it, even though you have toggled off the Access keys. See az appconfig kv import - Optional Parameters for details.

To resolve the issue, we can add --auth-mode login parameter in your command.

az appconfig kv import -n $(tst-appconfigName) --auth-mode login -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y

It works as expected on my side.

So, please try adding --auth-mode login parameter in your command to get it work.

UPDATE:

Works like charm !. But facing another issue . ERROR: Operation returned an invalid status 'Forbidden' . I checked app configuration logs. It results 403 status code with client ip address 20.126.x.x.x . I have my self hosted agent resides in same VNET and same subnet.

The issue is on the network between the agent and the app config instance. It seems that the VM is blocked by the NSG rules, please check your rule settings and reference this thread for further troubleshooting.

BTW, per the message, the client IP seems to be a public IP. Just try to enable the third option on the Public Access tab to see if it works.

UPDATE2:

As confirmed by PavanKumar, it turns out that App configuration resides in another resource group. The issue was resolved with help of VNET peering. Most important, providing RBAC roles to SPN.