Share via

Integrating Ajure Key Vault RBAC with Ajure DevOps

Tagvor Hovsepyan 61 Reputation points
2022-10-15T14:20:05.31+00:00

The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or maJust in time To link an Azure key vault and map selective vault secrets to this variable group.
Gives the error "The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal."nage secret permissions in the Azure portal.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,150 questions
Accepted answer
  1. JamesTran-MSFT 36,481 Reputation points Microsoft Employee
    2022-10-18T21:59:22.997+00:00

    @Tagvor Hovsepyan
    Thank you for your post and I apologize for the delayed response!

    Error message:
    The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable Azure Pipelines to set these permissions or manage secret permissions in the Azure portal.

    From your error message and follow up - when you change the Access configuration from Azure RBAC to Vault access policies everything works as expected. However, if you change the Access configuration back to Azure RBAC you're running into the above error.

    When it comes to Azure RBAC for Key Vault, instead of assigning the Key Vault permissions under the Access Policies tab within your Vault, you'll have to assign RBAC roles to your Azure DevOps principal under the Access Control (IAM) tab. For more info on the Azure built-in roles for Key Vault data plane operations.

    Assign Azure roles using the Azure portal:
    251670-image.png

    I hope this helps!

    If you have any other questions or are still having issues, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tagvor Hovsepyan 61 Reputation points
    2022-10-19T10:36:20.537+00:00

    251974-sc-error.jpg

    0 comments
  2. Ahmad Pirani 6 Reputation points
    2024-05-14T02:52:49.05+00:00

    What you need to do in this case is :

    1. Go to Service connections under Project Settings in Azure DevOps, open the service connection that was created automatically when you performed the first step of selecting Azure Subscription
    2. Open that service connection, the name will be identifiable as it will be similar to your Azure Subscription name
    3. Click Edit
    4. If there is nothing selected in Resource group, then click Verify button
    5. Select the Azure Resource group that you have your key vault in
    6. Make sure to check Grant access permissions to all pipelines and click Save
    7. Go back to the Variable Group where you were trying to select the Azure Resource Group and click Authorize again (it might take a few tries)
    0 comments