I couldn’t think of a title for this one that wasn’t ridiculously long so to help future Googlers, here’s what we were trying to do:
- Authenticate against Azure Key Vault
- using a Service Principal
- using Azure AD Service Authentication
- Rrom our build server
- Running an Azure Devops build agent
Whew. Basically we had some integration tests that retrieve a database connection string from an Azure Key Vault, and needed Azure Devops to be able to run those tests on our build server. Which meant it has to authenticate with its own service principal in Azure AD as described in here: https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#running-the-application-using-a-service-principal
We were using the certificate-based method, to request a token to access the Key Vault, but it wasn’t working :( In case I run into this again, here’s the steps we had to go through to sort it out:
- Don’t get the cert thumbprint from the certificate properties, get them from Powershell where it’ll be formatted properly without all the spaces
- Remove all the braces from the environment variable. It sounds obvious in retrospect but considering how often things that have to be {formatted_like_this}, we missed it.
- Add the Service Principal’s Application (not the service principal itself) to the Key Vault
- Change the build agent to run as “Local System” account - it installs itself as “Network Service” by default, but that account didn’t have access to the cert store that we had put the certificate in. There’s probably a better way to do this - let me know what it is!