Azure-pipelines-tasks: Bug: Azure PowerShell Task does not initialize KeyVault Access Token in case of Managed Intentity service connection

Created on 24 Jan 2020  路  5Comments  路  Source: microsoft/azure-pipelines-tasks

When using Managed Identity service connection Azure PowerShell Task does not initialize KeyVault Access Token, so Azure KeyVault cmdlets do not works.

Used cmdlets:

Update-AzKeyVaultNetworkRuleSet
Add-AzKeyVaultKey

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: AzurePowerShell

list here (V# not needed):
https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks

Environment

  • Server - Azure Pipelines or TFS on-premises?
    Azure Pipelines, Release

  • If using TFS on-premises, provide the version:

  • If using Azure Pipelines, provide the account name, team project name, build definition name/build number:

  • Agent - Hosted or Private:
    Private

  • If using Hosted agent, provide agent queue name:

  • If using private agent, provide the OS of the machine running the agent and the agent version:

Issue Description

[Include task name(s), screenshots and any other relevant details]

Task logs

[Enable debug logging and please provide the zip file containing all the logs for a speedy resolution]

2020-01-24T10:08:24.7297982Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\Az.Accounts\1.6.3\Az.Accounts.psd1 -Global
2020-01-24T10:08:25.7007444Z ##[command]Clear-AzContext -Scope Process
2020-01-24T10:08:26.2897891Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2020-01-24T10:08:26.8090334Z ##[command]Add-AzAccount  -AccessToken ****** -AccountId 478-2020-01-24T10:08:26.7426966+00:00 
2020-01-24T10:08:29.5793306Z ##[command] Set-AzContext -SubscriptionId ***** -TenantId ***
2020-01-24T10:08:30.6635879Z ##[command]& 'C:\agent\_work\r16\a\***\_iac\****.ps1' -subID "*******" -keyVaultName "*****" -objName "******"
2020-01-24T10:08:30.6773399Z [Adding Key] Prepping AKV...
2020-01-24T10:08:30.6775393Z [Adding Key] Temporary opening of the Firewall and Access Policies on the Key Vault...
2020-01-24T10:08:36.5084347Z [Adding Key] Creating a new RSA Key and store in KeyVault...
2020-01-24T10:08:37.0099871Z ##[command]Disconnect-AzAccount -Scope Process -ErrorAction Stop
2020-01-24T10:08:37.3136833Z ##[command]Clear-AzContext -Scope Process -ErrorAction Stop
2020-01-24T10:08:37.8490258Z ##[error]Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'.  Please ensure that you have provided the appropriate access tokens when using access token login.

Troubleshooting

Checkout how to troubleshoot failures and collect debug logs: https://docs.microsoft.com/en-us/vsts/build-release/actions/troubleshooting

Error logs

[Insert error from the logs here for a quick overview]

2020-01-24T10:08:37.8490258Z ##[error]Cannot retrieve access token for resource 'AzureKeyVaultServiceEndpointResourceId'.  Please ensure that you have provided the appropriate access tokens when using access token login.
Release bug
Source
picture ivanignatiev

All 5 comments

As a temporary workaround, you need to run inside your script:

Connect-AzAccount -msi -SubscriptionId $SubscriptionId
ivanignatiev picture ivanignatiev on 24 Jan 2020
👍1

@ivanignatiev Please attach the full debug logs by setting variable system.debug to true in your pipeline

20shivangi picture 20shivangi on 18 Feb 2020

@ivanignatiev Thanks for reporting this. We have identified the issue.

@20shivangi we should update the logic to connect using Manage identities. Currently, we fetch an access token for "https://management.azure.com/" resource and then use Connect-AzAccount -AccessToken. This will fail if the script tries to access other resources like key vault (https://vault.azure.net/). We should just use Connect-AzAccount -Identity to login using Managed Identities.

asranja picture asranja on 27 Feb 2020
👍1

@ivanignatiev We have raised the issue on Azure PowerShell team regarding the same. Will update here once we get some input from the team.

20shivangi picture 20shivangi on 4 Mar 2020

@ivanignatiev We have merged the PR : https://github.com/microsoft/azure-pipelines-tasks/pull/12491 to resolve this issue.
It will take at least 6-8 weeks to get deployed. Thanks for your patience.

20shivangi picture 20shivangi on 6 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

richard-ob picture richard-ob  路  3Comments
fedemkr picture fedemkr  路  3Comments
MikahB picture MikahB  路  3Comments
jared-hexagon picture jared-hexagon  路  3Comments
alexszilagyi picture alexszilagyi  路  3Comments