I'm trying to pre-seed a key-vault with a secret, in an Azure DevOps pipeline. The key-vault is being generated with ARM in a previous step.
I tried creating a DevOps Service Connection, with "Azure resource manager" as connection type, and I tried both Workload Identity federation and Service principal as authentication method, however, when attempting to add an access policy on the key-vault, the service connection is not listed.
How can I allow my service connection access to my key-vault?
I have to guess here a bit as you are not showcasing your templates.
If you are using accessPolicies for granting access to your keyvault secrets, then the accessPolicies array has to be declared in the KV-template, so I am guessing that either you have specified it as accessPolicies: [] (empty array), or having other entries there which does not include the entry you are using for your service-connection object-id.
So... when you are adding the access-policy for the service-connection in a later step (appending to the array), it would effectively reset/wipe it when the keyvault-template is deployed each time as it is not part of the array defined in the keyvault-template.
If that is the case, some suggestions for solving it would be the following:
enableRbacAuthorization: true), then once RBAC role-assigment is added on the KV or RG for example, the KV-template deployment would not reset/wipe it as it is handled outside of the KV-template (would also just in general recommend to switch to Azure RBAC for the access).If my assumptions were wrong and none of this is actually the issue, then please elaborate!