无法通过 VSTS 版本中的服务端点访问 keyvault 机密
[英]Cannot acces keyvault secrets through service endpoint in a VSTS release
问题描述
We're trying to download secrets with the download key vault secrets release task in VSTS.
我们正在尝试使用 VSTS 中的下载密钥保管库机密发布任务来下载机密。
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.服务主体添加到密钥保管库的访问策略中,检查所有权限,包括获取、列出机密。
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:我使用此服务主体创建了一个服务端点,并使用它来部署到 Azure,但在尝试检索 keyvault 机密时出现以下错误:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed.
5 个解决方案
解决方案1
6 2018-08-20 12:49:11
0) Go to your variables library 0)转到您的变量库
1) Tick on Link secrets from an Azure key vault as variables 1) 勾选Link secrets from an Azure key vault as variables
2) Select subscription 2) 选择订阅
3) Select key vault 3) 选择密钥库
4) Click Authorize 4) 点击Authorize
ACLing will be done by MS and you'll be able to use key vault task. ACLing 将由 MS 完成,您将能够使用密钥保管库任务。
I'm sure there used to be an Authorize button when selecting the key vault in the task, but I may be missremembering.我确定在任务中选择密钥保管库时曾经有一个Authorize按钮,但我可能记错了。 Just sunk 2h in to figuring this out....只是花了 2 小时才弄清楚这一点....
解决方案2
3 2018-06-22 05:47:04
You need to set permission for the correct principal selected .您需要为选择的正确主体设置权限。 And the principal format as:主要格式为:
account-<VSTS project name you are build/deploy>-ID
Detail steps to set permission as below:设置权限的详细步骤如下:
In Azure portal -> go to the Azure key vault -> Access policies -> Add new -> select template and specify permissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName (such as my VSTS project name is MyTest in below example) -> Select -> Ok.在 Azure 门户中 -> 转到 Azure 密钥库 -> 访问策略 -> 添加新的 -> 选择模板并指定权限(必须设置 Get 和 Listpermission) -> 选择主体 -> 搜索以account-VSTSProjectName开头的主体(例如因为我的 VSTS 项目名称在下面的示例中是MyTest )-> 选择-> 确定。
Then deploy again in VSTS release, it can download the Azure key vault successful.然后在 VSTS 版本中再次部署,它可以成功下载 Azure 密钥保管库。
解决方案3
3 2018-11-10 21:15:10
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).如果防火墙已打开(防火墙和虚拟网络页面上的“允许从...访问”),Dev Ops 服务器还需要能够通过防火墙访问密钥库。
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.我相信对变量密钥库的网络访问是通过 AzDevOps 的非代理部分完成的,但我还没有弄清楚如何将这些服务器列入白名单。
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work .打开“允许受信任的 Microsoft 服务绕过此防火墙”不起作用。
I had to allow access for "all networks" to work around this for now as the simplest solution.作为最简单的解决方案,我现在必须允许“所有网络”访问以解决此问题。
The other safer option using an agent task and not a variable group is to..使用代理任务而不是变量组的另一个更安全的选择是...
- Have your own agent pool in an Azure VM在 Azure VM 中拥有自己的代理池
- Either..任何一个..
- Connect this to a private vnet which is also connected to the KeyVault or...将此连接到也连接到 KeyVault 的私有 vnet 或...
- Whitelist the agent's public endpoint in the keyvault在 keyvault 中将代理的公共端点列入白名单
- Connect this to a private vnet which is also connected to the KeyVault or...
- Read in variables from the keyvault secrets during the agent process using the KayVault task (ie read the secrets as part of the pipeline).在代理过程中使用 KayVault 任务从 keyvault 机密中读取变量(即,将机密作为管道的一部分读取)。
Hope this helps.希望这可以帮助。 Mark.标记。
解决方案4
0 2022-04-18 02:41:13
When the error's still showing up.当错误仍然出现时。
Navigate to your Azure key vault.导航到 Azure 密钥保管库。 Check your Access policies检查您的访问策略
* If the Azure role-based access control is selected *如果选择了 Azure 基于角色的访问控制
- Under Azure DevOps project > Project Settings > Service connections > selected Service Principal > click the Manage Service Principal.在 Azure DevOps 项目 > 项目设置 > 服务连接 > 选定的服务主体 > 单击管理服务主体。
- Take note of the service principal name in Azure记下 Azure 中的服务主体名称
- Navigate to your Azure key vault.导航到 Azure 密钥保管库。
- Under Access Control (IAM), click add role assignment在访问控制 (IAM) 下,单击添加角色分配
- Select Key Vault Secrets User.选择 Key Vault 机密用户。 Click next.点击下一步。
- Select Members.选择成员。 Look for your Service Principal (in step 1)寻找您的服务主体(在步骤 1 中)
- Then review + assign然后查看+分配
- Click Authorize again in Dev Ops在 Dev Ops 中再次单击授权
* If the vault access policy is selected *如果选择了保管库访问策略
- Go back to Azure DevOps, then click the Authorize button twice返回 Azure DevOps,然后单击两次授权按钮
解决方案5
0 2022-06-28 17:45:12
I had the very same problem to MarkD, but I didn't want to keep the all networks option enabled.我对 MarkD 有同样的问题,但我不想启用all networks选项。 So I found the list of IPs you need to allow according to your region:因此,我找到了根据您所在地区需要允许的 IP 列表:
Region IP V4 ranges
Australia East 20.37.194.0/24
Australia South East 20.42.226.0/24
Brazil South 191.235.226.0/24
Central Canada 52.228.82.0/24
Asia Pacific (Singapore) 20.195.68.0/24
South India 20.41.194.0/24
Central United States 20.37.158.0/23
West Central United States 52.150.138.0/24
East United States 20.42.5.0/24
East 2 United States 20.41.6.0/23
North United States 40.80.187.0/24
South United States 40.119.10.0/24
West United States 40.82.252.0/24
West 2 United States 20.42.134.0/23
Western Europe 40.74.28.0/23
United Kingdom South 51.104.26.0/24
Just locate the IP range of your resource location and input in the field Number 3 in the screenshot below.只需找到您的资源位置的 IP 范围,然后在下面的屏幕截图中的第 3 字段中输入。 Don't forget to save (Number 4).不要忘记保存(数字 4)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.