Key Vault access while setting Networking IPS

Harpreet Singh 0 Reputation points
2024-04-25T20:13:29.0766667+00:00

Hi

We have created a Key Vault and a secret in Azure Key Vault. We provided selected IP access in Networking while creating the vault and gave service account access to the Key Vault user. However, the service account was unable to read the secret from Azure using the Power Automate connector and flow.

For testing purposes, we changed the networking settings to allow app IPs, and then the service account was able to read the secret. Subsequently, we allowed and configured some Power Automate IPs in networking to enable Power Automate to read the secret. It worked after that.

Now, we want to create an environment variable to retrieve the secret from Azure, but it is not allowing us to do so and is giving a "user cannot read secret" error. Upon changing the networking settings again to allow all IPs, we were able to create the environment variable.

At this point, I am unsure which IPs should be added for the same purpose, or what else can be done to resolve this issue. Could anyone please assist me with this?

Thanks in advance.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,126 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,299 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,158 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,910 questions
Microsoft Power Platform Training
Microsoft Power Platform Training
Microsoft Power Platform: An integrated set of Microsoft business intelligence services.Training: Instruction to develop new skills.
64 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 3,015 Reputation points
    2024-04-25T21:37:35.29+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    I believe two actions can resolve your issue:

    1. Verify that the service account or identity used by Power Automate has the required permissions to access the Key Vault.
    2. Instead of allowing access from all IPs, consider configuring specific IP ranges or addresses that need to access the Key Vault.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments
  2. Babafemi Bulugbe 1,870 Reputation points MVP
    2024-04-26T19:24:08.1466667+00:00

    Hello Harpreet Singh,

    Thank you for posting your question in the Microsoft Q&A Community.

    I understand you would like to know how to allow your Power Automate access to your key vault via private network access.

    To resolve this, you need to know which IP address range the Power Automate connects from. You might want to get that by looking through this link

    https://learn.microsoft.com/en-us/power-platform/admin/online-requirements

    However, it might not be that easy to get this IP address. As a workaround, enable Azure key vault logging, set the network to public disabled, and try to initiate the connection. After some hours, you should have a log within the storage account to see from which network the power automation is trying to authenticate.

    Follow the link below to see the steps to create key vault logging.

    https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli

    You can also take a look at this StackOverflow thread which describes almost the same scenario.

    https://stackoverflow.com/questions/74390962/how-to-connect-to-azure-vault-from-microsoft-flow

    Let me know if further assistance is required.

    Babafemi

    0 comments