Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SP read request to Keyvault secrets fail with access denied #277

Closed
1 task
TechnicallyWilliams opened this issue Sep 5, 2019 · 1 comment
Closed
1 task

SP read request to Keyvault secrets fail with access denied #277

TechnicallyWilliams opened this issue Sep 5, 2019 · 1 comment
Assignees
@KeithJRome
Labels
bug Something isn't working pri-High High priority issue

Comments

@TechnicallyWilliams
Copy link
Contributor

TechnicallyWilliams commented Sep 5, 2019
edited
Loading

Background:

Deployment service principal with "owner" and/or "reader" role of the keyvault resource is not able to read stored secrets during some ISO template integration tests.

The deployments that have run into this error have done so on subsequent deployments. Initial deployments have not surfaced this permissions error.

Description

Investigate a permanent fix or work around for keyvault read permissions.

Acceptance Criteria

Reference: [Done-Done Checklist] (https://github.com/Microsoft/code-with-engineering-playbook/blob/master/Engineering/BestPractices/DoneDone.md)

  • Evidence that a deployment service principal can read secrets from keyvault during ISO template integration tests.

Also, here are a few points that need to be addressed:

  1. One theory is that the additional app service service principal created during the initial deployment is the source of the problem.
  2. It might be a product bug: https://blogs.technet.microsoft.com/kv/2018/08/31/announcing-virtual-network-service-endpoints-for-key-vault-preview/
  3. Turns out this was not a product bug issue or naming collision issue. Instead, multiple deployments were sharing a keyvault resource that was only configurable for a single deployment service principal.

Resources

Deployment Error:
image //
image //...
image

Tasks

Assignee should break down work into tasks here
@TechnicallyWilliams TechnicallyWilliams added pri-High High priority issue bug Something isn't working labels Sep 5, 2019
@TechnicallyWilliams TechnicallyWilliams mentioned this issue Sep 6, 2019
Open
@KeithJRome KeithJRome mentioned this issue Sep 6, 2019
Merged
9 tasks
@KeithJRome
Copy link
Contributor

We believe that this is solved with #281

@KeithJRome KeithJRome self-assigned this Sep 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KeithJRome KeithJRome

Labels
bug Something isn't working pri-High High priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KeithJRome @TechnicallyWilliams @James-Nance