Azure DevOps: Link secrets from an Azure Key Vault with IP restrictions - authorization fails? RRS feed

All replies

  • I believe you are restricted by Azure Key Vault access policy and you may need to give explicit permissions to the Service Principal of your DevOps project to access Keys/Secrets from your key vault.  Please use the below command to set up the Azure Key Vault Access policy - 

    $spn= Get-AzureRmADServicePrincipal -spn <<DevOpsSPN>>
    Set-AzureRmKeyVaultAccessPolicy -VaultName <<KeyVaultName>> -ObjectId $spn.Id -PermissionsToSecrets get,list;
    You can find the <<DevOpsSPN>> by going to your DevOps Project Settings > Pipelines > Service Connections and click on "Update Service Connection". 
    Monday, April 8, 2019 9:14 PM
  • Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.
    Tuesday, April 16, 2019 11:17 PM
  • Dear SaurabhSharma,

    Unfortunately this is not the solution to the problem. We are facing the same problem when we configure a Key Vault with IP restrictions and also connected to a VNET. When I remove the Vnet integration, the library in Azure DevOps can autorize, but as soon as I configure the VNET, the library in Azure DevOps can't autorize the keyvault connection.

    The ServicePrincipal has all the right's (RBAC contributor and an "Get/List secrets" access policy. Also the "Allow trusted Microsoft services to bypass this firewall" setting is enabled.
    I also tried to add the IP address ranges and to the keyvault allow list, but this is also not working.



    Monday, June 3, 2019 10:30 AM
  • Hi,

    I'm having the same issue. I'm unable to use a Azure DevOps Library group with the firewall set to all, even if I add the Azure DevOps IP exceptions as Ton has mentioned above.

    It is as if Azure DevOps is using other IP address not mentioned in that article.


    Thursday, July 18, 2019 2:34 PM
  • I know this is an older post however I wanted to reply just in case someone else runs into it.

    So you can use the firewall you just need to white-list the services for the region your Azure DeOps is located.

    For me it was all the IPs under Azure DevOps Services - Central United States


    Look for the table under the comment "Azure DevOps Services"

    Friday, August 30, 2019 5:25 PM