在 Azure powershell 任务中添加/获取 Azure Keyvault 的秘密

Question

I am trying to set the secrets inside my Azure Keyvault using the Azure Powershell Task in Azure DevOps. I use the following code:

Set-AzureKeyVaultSecret -VaultName $KeyvaultName -Name $SecretName -SecretValue $secretvalue

With the names and the value all setup inside variables and tried to use this without also variables. The value is saved as a secure string with the following code. ConvertTo-SecureString

But when I run this powershell code inside my Azure DevOps Release pipeline I keep getting following Error message:

Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'.  Please ensure that you have provided the appropriate access tokens when using access token login.

So I've made sure that the service principal and the build server are having the right access on the keyvault by adding them both to the access policies with the get,list,set secrets permission.

I've also added following lines of code to make sure that the profile is loaded correctly

########################################################################################
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azureRmProfile)
$context = Get-AzureRmContext
$AzureToken = $profileClient.AcquireAccessToken($context.Tenant.Id)
Add-AzureRmAccount -AccessToken $AzureToken.AccessToken -AccountId $AzureToken.UserId
########################################################################################

By adding this code in the beginning of the inline script and using the profile with the commando as variable to the -DefaultProfile.

I also enabled the option to enable the script to access the Oauth token.

Is there someone who also tried to set the secret from the powershell task in Azure DevOps. Or know why the powershell script can't get access on the keyvault. The azurermContext commando provided me with the right output, even tried the Get-AzureRmKeyvault command to figure out if the connection to the environment was already setup right. And that also didn't gave any problems.

Answer 1

below working for sure (using this reguarly)

Set-AzContext -SubscriptionId $SubscriptionId
## $SubscriptionId is a subscription ID where is the target KV

$Secretvalue = ConvertTo-SecureString $SecretValuePlainText -AsPlainText -Force
## $SecretValuePlainText is the secret to store

Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $SecretName -SecretValue $Secretvalue -ErrorVariable setSecretError -Expires $ExpirationDate -NotBefore $ActivationDate
## $SecretName, $ExpirationDate, $ActivationDate - obvious :)

of course if your refer to variable not from script or inline, but from release the use $(variable_name)

Service Principal/Service Connection we use for this is temporary an Owner of target subscription (or key vault, up to you).

Answer 2

I had the exact same issue. Found that the problem was a missing access token.

Namely -KeyVaultAccessToken when you call Add-AzureRmAccount .

Found the solution here: https://github.com/Azure/azure-powershell/issues/4818#issuecomment-376155173

Answer 3

I fixed my question with the following.

I used a service connection that was based on a managed identity. And this needed some workaround to access the key vault like @john mentioned. But this was unnecessary. by creating a new service connection based on a service principal. This workaround was not necessary and fixed the issue.