Search code examples
azure-devopsazure-pipelinesazure-keyvaultcicd

Anyone else had issues using an Azure-key-vault-connected pipeline variable group for an "Invoke Azure Function" pipeline check?

I am configuring an Azure DevOps pipeline environment check of type "Invoke Azure Function". I am using a pipeline variable group in order to reference the function key value as a variable. The variable group has been created from a connected key vault in Azure. When I run the pipeline to trigger the check function, it returns a 401 and I can see from the function logs (no output at all) and the pipeline "response:0" that the function was not invoked. The function key is not getting passed to the function and the call is denied. I further tested this theory by hard coding the function key into the set-up form, instead of using a variable, and the function triggered and ran as expected.

Further details:

  • When the function is triggered from Postman with the URI and function key, it also works as expected.
  • I have triple checked that the value of the secret in the key vault is the same as the function key and the status is enabled.
  • I have connected the correct key vault with the correct variable group to the correct pipeline check and there are no obvious errors or warnings.
  • The DevOps identity and the Function App itself have GET and LIST access policies on everything in the connected key vault.
  • I created a new repo and simple pipeline to test access to the key vault secrets and I was able to access the key vault and return values.
  • All pipelines have been allowed permissions to use this pipeline check resource and the variable group.

Has anyone experienced this issue and found a solution? Other testing ideas also welcome. Thanks in advance.

Edit: I have attached the pipeline check configuration, 401 error and the simple pipeline I created in the same project to test connection to the Azure key vault. Invoke Azure Function Config1Invoke Azure Function Config2
401 error when pipeline check tries to trigger the function pipeline used in separate repo to test DevOps access to the key vault

Edit 2 (In response to the bot asking for ways to reproduce the error)

Create:

Your DevOps identity and Function will need GET and LIST permissions on secrets to access the azure key vault.

Set up a pipeline check "Invoke Azure Function" through the "Approvals and checks" tab on the pipeline environment page.

  • You will need the function URI and will add the function key as a variable from the linked variable group. (The linked variable group is added in the control options area.)
  • Set your method, leave the headers as default, query params empty.
  • Set the function as APIResponse and leave the success criteria blank, if using the default httptrigger function.

The function working and pipeline code is irrelevant. The issue is: I cannot seem to trigger the function using a variable group linked to an azure key vault. A function key hard coded into the form triggers the function, but not the variable in the form $(myVariable).

Solution

  • I can reproduce the same issue when using the Secret variable from Azure Key Vault(Variable Group).

    enter image description here

    I am afraid that Invoke function App task doesn't support using the secret from Azure Key Vault Variable group.

    When we use the Azure Key Vault Variable in Agent job, it will add step to download the key vault first, then we can use it in Agent job.

    enter image description here

    But the Invoke Function App task is using Agentless job, it doesn't support downloading the Azure Key Vault secret. We are not able to using Azure Key Vault directly without downloading it.

    So it doesn't support using the Azure Key Vault Secret.

    For a workaround, you can directly define the Function Key as secret variable in Variable group.

    For example:

    enter image description here

    Then we can use the secret variable in Invoke Function App task.

    Result:

    enter image description here