Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bug: Azure PowerShell Task does not initialize KeyVault Access Token in case of Managed Intentity service connection

See original GitHub issue

When using Managed Identity service connection Azure PowerShell Task does not initialize KeyVault Access Token, so Azure KeyVault cmdlets do not works.

Used cmdlets:

Update-AzKeyVaultNetworkRuleSet
Add-AzKeyVaultKey

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: AzurePowerShell

list here (V# not needed):
https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks

Environment

  • Server - Azure Pipelines or TFS on-premises? Azure Pipelines, Release

  • If using TFS on-premises, provide the version:

  • If using Azure Pipelines, provide the account name, team project name, build definition name/build number:

  • Agent - Hosted or Private: Private

  • If using Hosted agent, provide agent queue name:

  • If using private agent, provide the OS of the machine running the agent and the agent version:

Issue Description

[Include task name(s), screenshots and any other relevant details]

Task logs

[Enable debug logging and please provide the zip file containing all the logs for a speedy resolution]

2020-01-24T10:08:24.7297982Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\Az.Accounts\1.6.3\Az.Accounts.psd1 -Global
2020-01-24T10:08:25.7007444Z ##[command]Clear-AzContext -Scope Process
2020-01-24T10:08:26.2897891Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2020-01-24T10:08:26.8090334Z ##[command]Add-AzAccount  -AccessToken ****** -AccountId 478-2020-01-24T10:08:26.7426966+00:00 
2020-01-24T10:08:29.5793306Z ##[command] Set-AzContext -SubscriptionId ***** -TenantId ***
2020-01-24T10:08:30.6635879Z ##[command]& 'C:\agent\_work\r16\a\***\_iac\****.ps1' -subID "*******" -keyVaultName "*****" -objName "******"
2020-01-24T10:08:30.6773399Z [Adding Key] Prepping AKV...
2020-01-24T10:08:30.6775393Z [Adding Key] Temporary opening of the Firewall and Access Policies on the Key Vault...
2020-01-24T10:08:36.5084347Z [Adding Key] Creating a new RSA Key and store in KeyVault...
2020-01-24T10:08:37.0099871Z ##[command]Disconnect-AzAccount -Scope Process -ErrorAction Stop
2020-01-24T10:08:37.3136833Z ##[command]Clear-AzContext -Scope Process -ErrorAction Stop
2020-01-24T10:08:37.8490258Z ##[error]Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'.  Please ensure that you have provided the appropriate access tokens when using access token login.

Troubleshooting

Checkout how to troubleshoot failures and collect debug logs: https://docs.microsoft.com/en-us/vsts/build-release/actions/troubleshooting

Error logs

[Insert error from the logs here for a quick overview]

2020-01-24T10:08:37.8490258Z ##[error]Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'.  Please ensure that you have provided the appropriate access tokens when using access token login.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
20shivangicommented, Mar 6, 2020

@ivanignatiev We have merged the PR : https://github.com/microsoft/azure-pipelines-tasks/pull/12491 to resolve this issue. It will take at least 6-8 weeks to get deployed. Thanks for your patience.

1reaction
asranjacommented, Feb 27, 2020

@ivanignatiev Thanks for reporting this. We have identified the issue.

@20shivangi we should update the logic to connect using Manage identities. Currently, we fetch an access token for “https://management.azure.com/” resource and then use Connect-AzAccount -AccessToken. This will fail if the script tries to access other resources like key vault (https://vault.azure.net/). We should just use Connect-AzAccount -Identity to login using Managed Identities.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshooting Azure key vault access policy issues
The simplest way to authenticate a cloud-based application to Key Vault is with a managed identity; see Authenticate to Azure Key Vault for ......
Read more >
Authenticate connections with managed identities - Azure ...
When you use a managed identity to authenticate your connection, you don't have to provide credentials, secrets, or Azure AD tokens.
Read more >
How to use managed identities for Azure resources on an ...
Step-by-step instructions and examples for using managed identities for Azure resources on virtual machines to acquire an OAuth access ...
Read more >
Use Azure Key Vault secrets in Azure Pipelines - Microsoft Learn
In this tutorial, you will learn how to: Create an Azure Key Vault using Azure CLI; Add a secret and configure access to...
Read more >
Troubleshoot Azure Resource Manager service connections
Failed to obtain the JWT by using the service principal client ID ... This issue occurs when you try to verify a service...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

PublishTestResults suddenly started failing

Next page

CocoaPods does not handle proxy configuration