azure-devopsazure-virtual-networkazure-app-configurationazure-private-linkazure-private-dns

Cannot find a read write access key for the Azure App Configuration while importing keys


I am trying to import App configuration key values using DevOps CICD Pipelines. App configuration had

az appconfig kv import --profile appconfig/kvset --name <your store name> --source file --path appconfigdata.json --format json

Issue: At first App configuration is public access and used Microsoft Agent pipelines for importing and it was success. Later decided to secure access using private endpoint, So I followed all above steps and ensure everything is aligned correct. Whenever I run the pipeline, I get below issue. I explored a lot on this issue and yet unable to find the root cause.

What am i missing?

ERROR: Cannot find a read write access key for the App Configuration

YAML:

steps:
- task: AzureCLI@2
  displayName: 'Azure CLI - Update AppConfig'
  inputs:
    azureSubscription: 'Test-SPN-NonProd'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     az appconfig kv import -n $(tst-appconfigName) -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
     
     
     
    workingDirectory: '$(System.DefaultWorkingDirectory)/AzureFunctionShared/drop/AppConfig'
  condition: succeededOrFailed()

enter image description here

enter image description here

enter image description here


Solution

  • I can reproduce the issue with the same settings as you.

    enter image description here  

    The cause is that the default value of the --auth-mode parameter is key. It tries to retrieve the account access keys for authorization by default if you don't specify another value for it, even though you have toggled off the Access keys. See az appconfig kv import - Optional Parameters for details.

    enter image description here

    To resolve the issue, we can add --auth-mode login parameter in your command.

    az appconfig kv import -n $(tst-appconfigName) --auth-mode login -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
    

    It works as expected on my side. enter image description here

    So, please try adding --auth-mode login parameter in your command to get it work.

    UPDATE:

    Works like charm !. But facing another issue . ERROR: Operation returned an invalid status 'Forbidden' . I checked app configuration logs. It results 403 status code with client ip address 20.126.x.x.x . I have my self hosted agent resides in same VNET and same subnet.

    The issue is on the network between the agent and the app config instance. It seems that the VM is blocked by the NSG rules, please check your rule settings and reference this thread for further troubleshooting.

    BTW, per the message, the client IP seems to be a public IP. Just try to enable the third option on the Public Access tab to see if it works.

    enter image description here

    UPDATE2:

    As confirmed by PavanKumar, it turns out that App configuration resides in another resource group. The issue was resolved with help of VNET peering. Most important, providing RBAC roles to SPN.