Azure data factory access policies assigment using azure powershell inline script in devops pipline
There is one task which is simple and easily achieved using cloud shell, I need to give access to my
Datafactory get, set in access policies
commands
$objectid = (Get-AzDataFactoryV2 -ResourceGroupName "BDAZE1ENRG01" -Name
"BDAZE1INDF03").Identity.PrincipalId
Set-AzKeyVaultAccessPolicy –VaultName "BDAZE1ENKV01" -PermissionsToKeys get,list -
PermissionsToSecrets get,list -ObjectId $objectid
Devops task screen shot enter image description here
JEpOB.png
error is devops log
powershell version 3.1.0 task version inline script 4.0
To run the command Set-AzKeyVaultAccessPolicy, it will call the Azure AD Graph to validate the $objectid you passed. In could shell, it uses the credential of your user account, it works means your user account has the permission. In devops, the service principal has no permission to do that by default.
To solve the issue, the easiest way is to use the -BypassObjectIdValidation parameter like below, then it will work fine.
Set-AzKeyVaultAccessPolicy –VaultName "joykeyvault" -PermissionsToKeys get,list -PermissionsToSecrets get,list -ObjectId $objectid -BypassObjectIdValidation
Of course there is another way, just grant the application permission in Azure AD Graph like below for the AD App of your devops connection. (Must be Application type permission in Azure Active Directory Graph, not Microsoft Graph, don't forget to click Grant admin consent button)
- Listing the Tables in the Storage Account using ADF Web Activity is failed with an authorization error
- Terraform with Azure Key Vault to get secret value
- No value provided for parameter `container_name` in the Get Metadata1 activity
- Pagination with oauth azure data factory
- Using Managed Identity to connect to a queue from a WebJob
- How to integrate GPT-4 model hosted on Azure with the gptstudio package?
- Azure - Virtual network Gateway vs VPN gateways
- Azure CLI won't login on MacOS
- Replicating Azure SQL DB and blob storage in multi region setup
- Reading Azure Entra ID Diagnostic Settings
- Azure Traffic Manager Endpoint: The following locations specified in the geoMapping property for endpoint are not supported
- Assign specific agent on Azure DevOps YAML Pipelines
- GetBlob request is failing, when PutBlob and ListBlob are successfull
- Scheduled alert rule created in Terraform doesn't work
- New NIC with public IP has no internet connection, while existing NIC works fine
- BlobClient#generateSasUrl automatically %-encode blob path
- How to do copy of all the containers without explicitly mentioning in the array between two different storage accounts
- Azure Application Gateway WAF with False Positive on SQL Injection
- Application ID URI Throwing Error in Azure AD App Registration using Terraform
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- installing an SSL on Azure ubuntu web server
- How do I add a Spring Initializr dependency (eg Microsoft Azure) after the project is created?
- NvidiaGpuDriverLinux fails to install on NC6 instance
- How to get client secret expiry date using the azure AD graph API
- Can't get OneNote data using graph api from microsoft
- Adding Custom Python library in Azure Synapse
- Cannot run .NET Core application on Linux in Azure App Services with linuxFxVersion: 'DOTNETCORE:8.0'
- Unable to connect from Azure data factory to postgres flexible server using private endpoint
- Microsoft graph return "access token is empty"
- How to use empty disk spaces under /dev/sdb1 on Azure?