Share via

Unable to fetch the secrets from Key vault to Azure DevOps Library group

Nikhil Arshath 0 Reputation points
2024-01-31T14:51:03.4466667+00:00

Hi Team, I am trying to integrate Azure DevOps Library group to Azure key vault to fetch the secrets from here. I have created a service Principal (sampleSP01) and have a key vault (KeyVault01) with RBAC permission model . I have also made the service connection in azure DevOps with the above created service principal with the following details

  1. Service Principal Id (client of the service principal)
  2. Service principal key(secret of the service principal
  3. Azure subscription
  4. Azure subscription Id
  5. Tenant Id and also for this Service Principal(sampleSP01) we have assigned the Azure in built roles:
  6. Key vault secrets user.
  7. Key vault secrets officer. So using these details I am able to verify the connection in ADO.

After this when I am trying to fetch the secrets from the key vault , I am getting the below error in ADO library group: The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal. Please let me know if I am missing any steps or any other actions needs to done.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,350 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,766 Reputation points Microsoft Employee
    2024-02-01T19:11:29.6566667+00:00

    @Nikhil Arshath

    Thank you for your post!

    Error Message:

    The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal.

    From the Key Vault side of things, your Service Principal (sampleSP01) should have the correct permissions with the given Key Vault Secrets Officer RBAC role. However, your issue could be due to insufficient permissions for the Azure DevOps service account. For more info.

    Grant Azure DevOps Access to Key Vault:

    1. In Azure Portal, navigate to your Key Vault.
    2. Go to 'Access policies'.
    3. Add a new access policy.
    4. Grant the Azure DevOps service account 'Get' and 'List' permissions for secrets (Read-Only access is sufficient for most use cases).

    For more info - How to integrate Azure Keyvault with my pipeline

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.