1

I am trying to set the secrets inside my Azure Keyvault using the Azure Powershell Task in Azure DevOps. I use the following code: 

Set-AzureKeyVaultSecret -VaultName $KeyvaultName -Name $SecretName -SecretValue $secretvalue

With the names and the value all setup inside variables and tried to use this without also variables. The value is saved as a secure string with the following code.ConvertTo-SecureString

But when I run this powershell code inside my Azure DevOps Release pipeline I keep getting following Error message: 

Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'.  Please ensure that you have provided the appropriate access tokens when using access token login.

So I've made sure that the service principal and the build server are having the right access on the keyvault by adding them both to the access policies with the get,list,set secrets permission.

I've also added following lines of code to make sure that the profile is loaded correctly 

########################################################################################
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azureRmProfile)
$context = Get-AzureRmContext
$AzureToken = $profileClient.AcquireAccessToken($context.Tenant.Id)
Add-AzureRmAccount -AccessToken $AzureToken.AccessToken -AccountId $AzureToken.UserId
########################################################################################

By adding this code in the beginning of the inline script and using the profile with the commando as variable to the -DefaultProfile.

I also enabled the option to enable the script to access the Oauth token. enter image description here

Is there someone who also tried to set the secret from the powershell task in Azure DevOps. Or know why the powershell script can't get access on the keyvault. The azurermContext commando provided me with the right output, even tried the Get-AzureRmKeyvault command to figure out if the connection to the environment was already setup right. And that also didn't gave any problems.

Improve this question

3 Answers 3

Reset to default
2

below working for sure (using this reguarly)

Set-AzContext -SubscriptionId $SubscriptionId
## $SubscriptionId is a subscription ID where is the target KV

$Secretvalue = ConvertTo-SecureString $SecretValuePlainText -AsPlainText -Force
## $SecretValuePlainText is the secret to store

Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $SecretName -SecretValue $Secretvalue -ErrorVariable setSecretError -Expires $ExpirationDate -NotBefore $ActivationDate
## $SecretName, $ExpirationDate, $ActivationDate - obvious :)

of course if your refer to variable not from script or inline, but from release the use $(variable_name)

Service Principal/Service Connection we use for this is temporary an Owner of target subscription (or key vault, up to you).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Tried out your answer but this does gave me the exact same error :( Thnx for answering
Doing same but while the script is running i am getting this error :: Cannot bind parameter 'SecretValue'. Cannot convert the "System.Security.SecureString" value of type "System.String" to type "System.Security.SecureString"
1

I had the exact same issue. Found that the problem was a missing access token.

Namely -KeyVaultAccessToken when you call Add-AzureRmAccount.

Found the solution here: https://github.com/Azure/azure-powershell/issues/4818#issuecomment-376155173

Improve this answer

1 Comment

Tried out your answer and this seemed to work at first. But when I tried to set or even get a keyvault secret I got an unauthorized error message, So I guess with the Add-AzureRmAccount I've logged into a different user somehow. This is my code $context = Get-AzureRmContext Add-AzureRmAccount -AccountId $context.Account.Id -AccessToken $context.Account.AccessToken -KeyVaultAccessToken $context.Account.AccessToken
0

I fixed my question with the following.

I used a service connection that was based on a managed identity. And this needed some workaround to access the key vault like @john mentioned. But this was unnecessary. by creating a new service connection based on a service principal. This workaround was not necessary and fixed the issue.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.