Cannot find a read write access key for the Azure App Configuration while importing keys
I am trying to import App configuration key values using DevOps CICD Pipelines. App configuration had
Private Endpointenabled, disabled public access.private DNS zonecontainsA recordsetof app configuration.(private IP address of azure app config added to private dns zone.)Access keysare toggled off and using managed identity- DevOps: Had set up a self-hosted agent using a virtual machine that belongs to the same
VNETandsubnetas the app configuration private endpoint. - RBAC: Devops service principal has RBAC azure roles
OwnerandAzure App Configuration Data Owner - Subnet has associated with NSG and its rules are shown in snapshot.
- Had enabled
managed identityof app configuration.
az appconfig kv import --profile appconfig/kvset --name <your store name> --source file --path appconfigdata.json --format json
Issue: At first App configuration is public access and used Microsoft Agent pipelines for importing and it was success. Later decided to secure access using private endpoint, So I followed all above steps and ensure everything is aligned correct. Whenever I run the pipeline, I get below issue. I explored a lot on this issue and yet unable to find the root cause.
What am i missing?
ERROR: Cannot find a read write access key for the App Configuration
YAML:
steps:
- task: AzureCLI@2
displayName: 'Azure CLI - Update AppConfig'
inputs:
azureSubscription: 'Test-SPN-NonProd'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az appconfig kv import -n $(tst-appconfigName) -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
workingDirectory: '$(System.DefaultWorkingDirectory)/AzureFunctionShared/drop/AppConfig'
condition: succeededOrFailed()
I can reproduce the issue with the same settings as you.
The cause is that the default value of the --auth-mode parameter is key. It tries to retrieve the account access keys for authorization by default if you don't specify another value for it, even though you have toggled off the Access keys. See az appconfig kv import - Optional Parameters for details.
To resolve the issue, we can add --auth-mode login parameter in your command.
az appconfig kv import -n $(tst-appconfigName) --auth-mode login -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
It works as expected on my side.
So, please try adding --auth-mode login parameter in your command to get it work.
UPDATE:
Works like charm !. But facing another issue . ERROR: Operation returned an invalid status 'Forbidden' . I checked app configuration logs. It results 403 status code with client ip address 20.126.x.x.x . I have my self hosted agent resides in same VNET and same subnet.
The issue is on the network between the agent and the app config instance. It seems that the VM is blocked by the NSG rules, please check your rule settings and reference this thread for further troubleshooting.
BTW, per the message, the client IP seems to be a public IP. Just try to enable the third option on the Public Access tab to see if it works.
UPDATE2:
As confirmed by PavanKumar, it turns out that App configuration resides in another resource group. The issue was resolved with help of VNET peering. Most important, providing RBAC roles to SPN.
- Passing output variable to a template in the same job in Azure devops
- Azure Pipeline: how to delete a variable inside Azure build pipeline
- Azure Devops - YAML - not reading .net version from props file
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
- Updating Node js on internal windows ADO build agent
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- DotNetCLI@2 pack seems to be ignoring configuration inputs
- Build a pipeline in AzureDevOps for Sql Server on prem to run sql scripts
- How to format Azure DevOps console Logs
- How to follow the entire wiki in Azure DevOps?
- Issue with Azure key vault and Azure storage account deployment
- Publishing external POM Package to Azure Artifacts Feed Error
- lionbridge-connector on Azure Artifacts gives Dependency Error
- How to allow an empty string for a runtime parameter?
- Azure - RBAC to Management Group
- Python (Dash) web app deployment on Azure with pipeline running too long with message Building wheel for pandas still running. How to optimize?
- No 'Import a pipeline' button in Azure DevOps
- ASP.NET Azure Web App Pipeline: No package found with specified pattern: D:\a\1\s\**\*.zip
- Error when creating a pipeline. "You don’t appear to have an active Azure subscription."
- ADO YAML Pipelines | How to get secret variable from a variable group based on the value of another variable
- Azure Devops - Get release definitions by agent pool ID
- Azure Pipelines using YAML for multiple environments (stages) with different variable values but no YAML duplication
- How to specify which version of nuget.exe to use with self-hosted agent in Azure DevOps?
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- Azure DevOps - JFrogNuget Error - Error occurred while executing task: Error: Command failed
- Access Azure DevOps Pipeline Artifacts from different organization
- Initiate Azure DevOps Release Pipeline from Logic App and Retrieve Environment Variable Output from the pipeline
- Is it necessary to switch from the Hosted XML to the Inheritance Process Model after a migration