[英]Cannot acces keyvault secrets through service endpoint in a VSTS release
We're trying to download secrets with the download key vault secrets release task in VSTS.我们正在尝试使用 VSTS 中的下载密钥保管库机密发布任务来下载机密。
The service principal is add in the key vault's access policies, all rights are checked, including get, list secrets.服务主体添加到密钥保管库的访问策略中,检查所有权限,包括获取、列出机密。
I created a service endpoint with this service principal and use that to deploy to Azure, but I get following error when trying to retrieve the keyvault secrets:我使用此服务主体创建了一个服务端点,并使用它来部署到 Azure,但在尝试检索 keyvault 机密时出现以下错误:
2018-05-21T12:18:53.9240364Z ##[error]Get secrets failed.
2018-05-21T12:18:53.9240364Z ##[错误]获取机密失败。 Error: Access denied.
错误:访问被拒绝。 Specified Azure endpoint needs to have Get, List secret management permissions on the selected key vault.
指定的 Azure 终结点需要对选定的密钥保管库具有获取、列出机密管理权限。 To set these permissions, download ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it OR set them from Azure portal.
要设置这些权限,请从构建/发布日志下载 ProvisionKeyVaultPermissions.ps1 脚本并执行它或从 Azure 门户设置它们。
0) Go to your variables library 0)转到您的变量库
1) Tick on Link secrets from an Azure key vault as variables
1) 勾选
Link secrets from an Azure key vault as variables
2) Select subscription 2) 选择订阅
3) Select key vault 3) 选择密钥库
4) Click Authorize
4) 点击
Authorize
ACLing will be done by MS and you'll be able to use key vault task. ACLing 将由 MS 完成,您将能够使用密钥保管库任务。
I'm sure there used to be an Authorize
button when selecting the key vault in the task, but I may be missremembering.我确定在任务中选择密钥保管库时曾经有一个
Authorize
按钮,但我可能记错了。 Just sunk 2h in to figuring this out....只是花了 2 小时才弄清楚这一点....
You need to set permission for the correct principal selected .您需要为选择的正确主体设置权限。 And the principal format as:
主要格式为:
account-<VSTS project name you are build/deploy>-ID
Detail steps to set permission as below:设置权限的详细步骤如下:
In Azure portal -> go to the Azure key vault -> Access policies -> Add new -> select template and specify permissions (Get and Listpermission must be set) -> select principal -> search the principal start with account-VSTSProjectName
(such as my VSTS project name is MyTest
in below example) -> Select -> Ok.在 Azure 门户中 -> 转到 Azure 密钥库 -> 访问策略 -> 添加新的 -> 选择模板并指定权限(必须设置 Get 和 Listpermission) -> 选择主体 -> 搜索以
account-VSTSProjectName
开头的主体(例如因为我的 VSTS 项目名称在下面的示例中是MyTest
)-> 选择-> 确定。
Then deploy again in VSTS release, it can download the Azure key vault successful.然后在 VSTS 版本中再次部署,它可以成功下载 Azure 密钥保管库。
The Dev Ops server also needs to be able to access the keyvault through the firewall if the firewall is turned on ("Allow access from..." on the firewalls and virtual networks page).如果防火墙已打开(防火墙和虚拟网络页面上的“允许从...访问”),Dev Ops 服务器还需要能够通过防火墙访问密钥库。
The network access to the keyvault for variables is done through a non-agent part of AzDevOps I believe but I haven't figured out how to whitelist those servers.我相信对变量密钥库的网络访问是通过 AzDevOps 的非代理部分完成的,但我还没有弄清楚如何将这些服务器列入白名单。
Turning on the "Allow trusted Microsoft services to byass this firewall" did not work .打开“允许受信任的 Microsoft 服务绕过此防火墙”不起作用。
I had to allow access for "all networks" to work around this for now as the simplest solution.作为最简单的解决方案,我现在必须允许“所有网络”访问以解决此问题。
The other safer option using an agent task and not a variable group is to..使用代理任务而不是变量组的另一个更安全的选择是...
Hope this helps.希望这可以帮助。 Mark.
标记。
When the error's still showing up.当错误仍然出现时。
Navigate to your Azure key vault.导航到 Azure 密钥保管库。 Check your Access policies
检查您的访问策略
* If the Azure role-based access control is selected *如果选择了 Azure 基于角色的访问控制
* If the vault access policy is selected *如果选择了保管库访问策略
I had the very same problem to MarkD, but I didn't want to keep the all networks
option enabled.我对 MarkD 有同样的问题,但我不想启用
all networks
选项。 So I found the list of IPs you need to allow according to your region:因此,我找到了根据您所在地区需要允许的 IP 列表:
Region IP V4 ranges
Australia East 20.37.194.0/24
Australia South East 20.42.226.0/24
Brazil South 191.235.226.0/24
Central Canada 52.228.82.0/24
Asia Pacific (Singapore) 20.195.68.0/24
South India 20.41.194.0/24
Central United States 20.37.158.0/23
West Central United States 52.150.138.0/24
East United States 20.42.5.0/24
East 2 United States 20.41.6.0/23
North United States 40.80.187.0/24
South United States 40.119.10.0/24
West United States 40.82.252.0/24
West 2 United States 20.42.134.0/23
Western Europe 40.74.28.0/23
United Kingdom South 51.104.26.0/24
Just locate the IP range of your resource location and input in the field Number 3 in the screenshot below.只需找到您的资源位置的 IP 范围,然后在下面的屏幕截图中的第 3 字段中输入。 Don't forget to save (Number 4).
不要忘记保存(数字 4)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.