I want to download the Azure Key vault using pipeline and private IP, as due to NSG restrictive rules, machines can communicate only via private IP. My azure pipeline is running on the deployment group, which is also in the same resource group as the key vault. The default Keyvault task uses public IP. Is there any way to do this in the pipeline?
Is there any way to do this in the pipeline?
From your description, it seems that your azure keyvault is behind the Virtual network.
You could try to add the Private IP to the Azure keyvault firewall white list.
Then you could use the Azure Key vault Task to download the key vaults.
Finally, you could remove the Ip rule.
Here is my sample:
steps:
- task: AzurePowerShell@5
displayName: 'Azure PowerShell script: InlineScript'
inputs:
azureSubscription: kevin0225
ScriptType: InlineScript
Inline: |
$IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
$IP
Add-AzKeyVaultNetworkRule -VaultName "keyvaultname" -IpAddressRange "$IP"
preferredAzurePowerShellVersion: 3.1.0
- task: AzureKeyVault@1
displayName: 'Azure Key Vault: kevin0225'
inputs:
azureSubscription: kevin0225
KeyVaultName: kevin0225
- task: AzurePowerShell@5
displayName: 'Azure PowerShell script: InlineScript'
inputs:
azureSubscription: kevin0225
ScriptType: InlineScript
Inline: |
$IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
$IP
Remove-AzKeyVaultNetworkRule -VaultName "keyvaultname" -IpAddressRange "$IP"
preferredAzurePowerShellVersion: 3.1.0
Here is a doc about the method to add IP to azure keyvault firewall.