3

I am trying to import App configuration key values using DevOps CICD Pipelines. App configuration had

  • Private Endpoint enabled, disabled public access. private DNS zone contains A recordset of app configuration.(private IP address of azure app config added to private dns zone.)
  • Access keys are toggled off and using managed identity
  • DevOps: Had set up a self-hosted agent using a virtual machine that belongs to the same VNET and subnet as the app configuration private endpoint.
  • RBAC: Devops service principal has RBAC azure roles Owner and Azure App Configuration Data Owner
  • Subnet has associated with NSG and its rules are shown in snapshot.
  • Had enabled managed identity of app configuration.
az appconfig kv import --profile appconfig/kvset --name <your store name> --source file --path appconfigdata.json --format json

Issue: At first App configuration is public access and used Microsoft Agent pipelines for importing and it was success. Later decided to secure access using private endpoint, So I followed all above steps and ensure everything is aligned correct. Whenever I run the pipeline, I get below issue. I explored a lot on this issue and yet unable to find the root cause.

What am i missing?

ERROR: Cannot find a read write access key for the App Configuration

YAML:

steps:
- task: AzureCLI@2
  displayName: 'Azure CLI - Update AppConfig'
  inputs:
    azureSubscription: 'Test-SPN-NonProd'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     az appconfig kv import -n $(tst-appconfigName) -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y
     
     
     
    workingDirectory: '$(System.DefaultWorkingDirectory)/AzureFunctionShared/drop/AppConfig'
  condition: succeededOrFailed()

enter image description here

enter image description here

enter image description here

Improve this question
1
  • How about running the same command directly from the virtual machine? Does it have the same issue? Commented Jan 16, 2024 at 2:48

1 Answer 1

Reset to default
5

I can reproduce the issue with the same settings as you.

enter image description here  

The cause is that the default value of the --auth-mode parameter is key. It tries to retrieve the account access keys for authorization by default if you don't specify another value for it, even though you have toggled off the Access keys. See az appconfig kv import - Optional Parameters for details.

enter image description here

To resolve the issue, we can add --auth-mode login parameter in your command.

az appconfig kv import -n $(tst-appconfigName) --auth-mode login -s file --format json --path ./dev-appconfig.json --profile appconfig/kvset --y

It works as expected on my side. enter image description here

So, please try adding --auth-mode login parameter in your command to get it work.

UPDATE:

Works like charm !. But facing another issue . ERROR: Operation returned an invalid status 'Forbidden' . I checked app configuration logs. It results 403 status code with client ip address 20.126.x.x.x . I have my self hosted agent resides in same VNET and same subnet.

The issue is on the network between the agent and the app config instance. It seems that the VM is blocked by the NSG rules, please check your rule settings and reference this thread for further troubleshooting.

BTW, per the message, the client IP seems to be a public IP. Just try to enable the third option on the Public Access tab to see if it works.

enter image description here

UPDATE2:

As confirmed by PavanKumar, it turns out that App configuration resides in another resource group. The issue was resolved with help of VNET peering. Most important, providing RBAC roles to SPN.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Works like charm !. But facing another issue . ERROR: Operation returned an invalid status 'Forbidden' . I checked app configuration logs. It results 403 status code with client ip address 20.126.x.x.x . I have my self hosted agent resides in same VNET and same subnet.
@PavanKumarGVVS It seems that the VM is blocked by the NSG rule, please check your rule settings, just make sure the VM is allowed to access the App configuration data. See the updated answer for details.
Once again Thanks. But issue is not related to NSG rules, my DNS look up is not returning proper Private IP address even after after configuring proper private dns zone resolution. I would be happy to chat with you. can we have private chat?
@PavanKumarGVVS It's obviously a network problem, you need to check your network settings. I would be happy to chat, but I'm not familiar with the network settings here. It is recommended that you check the settings item by item. For example, disable the rules/settings one by one and check the behavior to see which one is causing the problem.
@PavanKumarGVVS May I know if you have resolved the IP block issue? Just want to check if anything I can do for you.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.