Cannot find a read write access key for the Azure App Configuration while importing keys
I am trying to import App configuration key values using DevOps CICD Pipelines. App configuration had
Private Endpointenabled, disabled public access.private DNS zonecontainsA recordsetof app configuration.(private IP address of azure app config added to private dns zone.)Access keysare toggled off and using managed identity- DevOps: Had set up a self-hosted agent using a virtual machine that belongs to the same
VNETandsubnetas the app configuration private endpoint. - RBAC: Devops service principal has RBAC azure roles
OwnerandAzure App Configuration Data Owner - Subnet has associated with NSG and its rules are shown in snapshot.
- Had enabled
managed identityof app configuration.
az appconfig kv import --profile appconfig/kvset --name <your store name> --source file --path appconfigdata.json --format json
Issue: At first App configuration is public access and used Microsoft Agent pipelines for importing and it was success. Later decided to secure access using private endpoint, So I followed all above steps and ensure everything is aligned correct. Whenever I run the pipeline, I get below issue. I explored a lot on this issue and yet unable to find the root cause.
What am i missing?
ERROR: Cannot find a read write access key for the App Configuration
YAML:
steps:
- task: AzureCLI@2
displayName: 'Azure CLI - Update AppConfig'
inputs:
azureSubscription: 'Test-SPN-NonProd'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az appconfig kv import -n $(tst-appconfigName) -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
workingDirectory: '$(System.DefaultWorkingDirectory)/AzureFunctionShared/drop/AppConfig'
condition: succeededOrFailed()
I can reproduce the issue with the same settings as you.
The cause is that the default value of the --auth-mode parameter is key. It tries to retrieve the account access keys for authorization by default if you don't specify another value for it, even though you have toggled off the Access keys. See az appconfig kv import - Optional Parameters for details.
To resolve the issue, we can add --auth-mode login parameter in your command.
az appconfig kv import -n $(tst-appconfigName) --auth-mode login -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
It works as expected on my side.
So, please try adding --auth-mode login parameter in your command to get it work.
UPDATE:
Works like charm !. But facing another issue . ERROR: Operation returned an invalid status 'Forbidden' . I checked app configuration logs. It results 403 status code with client ip address 20.126.x.x.x . I have my self hosted agent resides in same VNET and same subnet.
The issue is on the network between the agent and the app config instance. It seems that the VM is blocked by the NSG rules, please check your rule settings and reference this thread for further troubleshooting.
BTW, per the message, the client IP seems to be a public IP. Just try to enable the third option on the Public Access tab to see if it works.
UPDATE2:
As confirmed by PavanKumar, it turns out that App configuration resides in another resource group. The issue was resolved with help of VNET peering. Most important, providing RBAC roles to SPN.
- How can I delete an Azure DevOps build definition that it claims is retained by a release?
- How to link test results to user story in Azure DevOps (VSTS)?
- YAML CI is flattening file structure
- How to add new secrets (from Azure Key Vault) to the variable group in Azure Devops
- Best practice for SPA rollback on Azure Static Webapp with Azure Devops Deployment?
- Azure Pipeline: Unable to locate executable file: 'gulp'. during task Gulp@1
- Azure Pipeline dynamic parameters to template file from YAML pipeline
- How to Simplify a Complex Azure DevOps Release Pipeline with 11 Environments and Unique Task
- (Azure DevOps Testplans) Is it possible to associate an automated Test to a testcase without Visual Studio?
- Can't update Azure Pipepline. Error: Failed to fetch App Service publishing credentials
- View is not found when a Web App is deployed with Azure DevOps
- Re-checking for merge conflicts in VSTS (Azure DevOps)
- How to pass Environment Variables to Helmfile Values file
- Create a new pipeline from existing YML file in the repository (Azure Pipelines)
- How to reference a secret variable from an AzurePowerShell@5 task
- How can you insert suggestions on a PR in Azure Devops?
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Azure-DevOps clone shows references as warnings
- Is it possible to rename a release?
- How to assign test point to a tester in Azure DevOps with API
- Access Azure Devops Query Results Using C#
- What does --runAsAutoLogon do when configuring an Azure Devops Windows self-hosted agent?
- How to export multiple Azure DevOps Variable Groups?
- Passing branch names between pipelines
- Show list of work items I am following in VSTS?
- Prevent Azure Pipelines from failing build: No Agent Found in Pool which satisfies demand
- How do I get my Azure DevOps Pipeline build to fail when my linting script returns an error?
- Encountered conflicts when cherry-picking commit . This operation needs to be performed locally error in Azure DevOps
- Adding / setting Virtual Applications (Path mappings) to a Web App (App Service Azure) - via Powershell Script
- How do I filter releases for a specific Environment (Stage)?