I'm using the Microsoft Extension to access KeyVaults from Azure DevOps to fetch a secret from the vault. I'm getting this error message which appears to say that I need to allow rights the Azure Devops agent access to the keyvault.
"Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request""
I have this running on a separate test subscription where the AzureDevOps account has contributor access under Role Assignments, same on the PROD subscription where the error message is coming up.
Any insights would be greatly appreciated.
THanks,
This seems to be an issue with Azure keyvaults defined with service endpoints. As Azure DevOps is not a trusted service it does not have access to the endpoint. The workaround is to whitelist the ip of the agent right from the pipeline, removing it after you've obtained the secrets(figuring out how to do this now). This is referenced in here and here
Related
I have a SSL cert in my Azure key vault that I am trying to import to the correct App Service.
I am the owner of the Azure subscription and I have given the App Service GET and LIST permissions for certificates on the vault.
On my App Service I click TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate
This is the message I receive
Another owner on the subscription is able to complete this process successfully. So I am not sure why I am not able to when we both have owner roles on the subscription?
Is anyone able to offer any suggestions please?
When you are trying the operation from Azure Portal and you are a Owner of the Subscription, then Azure by default adds a access policy for the Azure APP Service Resource Provider and you do not further require to add the any access policies for the Web App.
Example:
I created a Web App with system managed identity and a Key vault with the below added Access Policies. I am an Owner of the Subscription and a User in the Azure Active Directory.
When , I perform the import certificate operation in the TLS/SSL Settings, the access policy get automatically updated with the Azure App Service Service Principal Credential.
In your case its not able to find the details of the Resource Provider Service Principal. As a Solution you can try adding Microsoft.Azure.CertificateRegistration (i.e. ObjectId : ed47c2a1-bd23-4341-b39c-f4fd69138dd3) , Microsoft Azure App Service (Internal) (i.e. ObjectId : 505e3754-d8a9-4f8b-97b6-c3e48ac7a543) & Microsoft Azure App Service (i.e. ObjectId : f8daea97-62e7-4026-becf-13c2ea98e8b4) in access policy for key vault.
Note: If the Issue is still not resolved , Please reach out to Azure Support for better assistance.
I'm try to use the Azure VM Connector to start and stop a Virtual Machine.
When I edit the Logic App it uses my User Id to authenticate (successfully).
However, my User Id is in a different Tenant than the VM. The Start Virtual Machine connector allows you to specify the SubscriptionId, ResourceGroup, and VM Name, but not the TenantId.
I get an Authorization (401) error (InvalidAuthenticationTokenTenant) when I try to run the Logic App. How can I specify the correct TenantId to get it working?
"error": { "code": "InvalidAuthenticationTokenTenant", "message": "The
access token is from the wrong issuer
'https://sts.windows.net/a35caae4-15e1-4518-bd0f-c1fd0f22814c/'. It
must match the tenant
'https://sts.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09/'
associated with this subscription. Please use the authority (URL)
'https://login.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09b' to
get the token. Note, if the subscription is transferred to another
tenant there is no impact to the services, but information about new
tenant could take time to propagate (up to an hour). If you just
transferred your subscription and see this error message, please try
back later." }
I solved the problem by doing 3 things:
Enable Managed Identities for the Logic App
Add a new role assignment in the VMs Access Control (IAM) section for the Logic App
Updated the Start virtual machine task in the Logic App to connect using the managed identity
The following link regarding Azure Functions to Start/Stop VMS provided the basic steps that I applied to the Azure Logic App(s) in my case.
I am trying to setup Azure Service Manager connection from VSTS for CICD Pipeline but it is failing. I have already made below changes to Azure.
Created Application thorough Azure Active Directory
Created Secret Key (For azure service principal key)
Provided full access to user (azure account) for created application
Collected all details - client id, tenant id and subscription id
Provided all these details in VSTS to setup connection
When I click verify connection. it gives below error -
Failed to query service endpoint api:
https://management.azure.com//subscriptions/?api-version=2016-06-01.
Error Message: The remote server returned an error: (403) Forbidden..
below is screenshot of VSTS -
Please let me know if I missed anything OR guide me all required steps to complete this VSTS to Azure connection.
You need to grant the service principal Azure subscription access permission.
Login Azure portal->All service->Subscriptions->click your subscription->Access control(IAM)->Add role assignment->assign a role to your service principal
Reference:
Manage access to Azure resources using RBAC and the Azure portal
In my Azure DevOps release pipeline, I would like to start a VM. So I have an "Azure resource group deployment" task with the action "Start virtual machines". However, when I run this task, I get the error:
"Failed to fetch the list of virtual machines from resource group: ...
Error: "Could not fetch access token for Managed Service Principal.
Please configure Managed Service Identity (MSI) for virtual machine
'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad
Request"
In my VM I already enabled system-assigned managed identity, so I don't know why this error is appearing. Any thoughts?
You will also need a service connection in Azure DevOps to connect to your Azure subscription using the MSI.
You can configure Azure Virtual Machines (VM)-based agents with an Azure Managed Service Identity in Azure Active Directory (Azure AD). This lets you use the system assigned identity (Service Principal) to grant the Azure VM-based agents access to any Azure resource that supports Azure AD, such as Key Vault, instead of persisting credentials in Azure DevOps for the connection.
In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.
Choose + New service connection and select Azure Resource Manager.
Choosing a service connection type
Select the Managed Identity Authentication option.
Opening the managed service identity settings
Enter a user-friendly Connection name to use when referring to this service connection.
Select the Environment name (such as Azure Cloud, Azure Stack, or an Azure Government Cloud).
Enter the values for your subscription into these fields of the connection dialog:
Subscription ID
Subscription name
Tenant ID
After the new service connection is created:
If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
If you are using it in YAML, copy the connection name into your code as the azureSubscription value.
Ensure that the VM (agent) has the appropriate permissions. For example, if your code needs to call Azure Resource Manager, assign the VM the appropriate role using Role-Based Access Control (RBAC) in Azure AD. For more details, see How can I use managed identities for Azure resources? and Use Role-Based Access Control to manage access to your Azure subscription resources.
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-to-a-vm-with-a-managed-service-identity
I've created an ARM template that uploads an SSL certificate to Azure. I can run the ARM template from my local machine and it succeeds without any errors.
I then log into VSTS to set up a release template to perform the same task. I select the same template and provide the same parameters, but when I deploy the release it errors with a 401. The only information I can get by looking into the logs is that the request is denied because authorization failed.
I updated the permissions for the Service Principal account that VSTS is using to match my own (Owner, Contributor) of the resource group I'm deploying to and I get the same error. I then, temporarily, updated its permissions to Owner, Contributor of the entire subscription, and it still failed.
I'm beginning to suspect that this is an issue with Service Principal accounts in general, but I can't find any documentation to confirm or refute this claim.