我想我应该对 Prodip 提供的解决方案进行一些修改。这依赖于这样一个事实:当您请求机密时,az 客户端会很友好地告诉您您的客户端 IP 地址是什么,即:
az keyvault secret show -n "a-known-client-secret" --vault-name "$keyVaultName"
Attempting to get value for known secret from key vault: '******'
ERROR: Client address is not authorized and caller is not a trusted service.
Client address: 1.1.1.1
Caller: appid=***;oid=****;iss=https://sts.windows.net/***/
Vault: ******;location=******
这是我的 bash 脚本(whitelist-agent-for-key-vault.sh):
#!/usr/bin/env bash
## By default the Azure DevOps IP addresses are NOT whitelisted for key vault access. So even if the service principal has access, you won't get past the firewall.
## The solution is to temporarily add the build agent IP address to the key vault firewall, and remove it when the pipeline is complete.
if [[ $(uname -s) == "Linux" ]]; then
azcmd="az"
else
# If we're in a bash shell on Windows, az commands don't work, but we can call the az.cmd batch file directly from git Bash if we can find it...
azcmd=$(where az.cmd)
fi
# Are we removing rather than setting?
if [[ $1 == "-r" ]]; then
if [[ -z "$3" ]]; then
echo "Build agent IP address is empty, no whitelist entry to remove from key vault: '$2'"
else
echo "Removing key vault '$2' network rule for DevOps build agent IP address: '$3'"
# Remember to specify CIDR /32 for removal
"$azcmd" keyvault network-rule remove -n $2 --ip-address $3/32
fi
exit 0
fi
keyVaultName=$1
########################################################################
##### This is the known secret which we request from the key vault #####
########################################################################
knownSecret="<My known secret>"
echo "Attempting to get value for known secret from key vault: '$keyVaultName'"
# Attempt to show secret - if it doesn't work, we are echoed our IP address on stderror, so capture it
secretOutput=$("$azcmd" keyvault secret show -n "$knownSecret" --vault-name "$keyVaultName" 2>&1)
buildAgentIpAddress=$(echo $secretOutput | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")
set -euo pipefail
if [[ ! -z "$buildAgentIpAddress" ]]; then
# Temporarily whitelist Azure DevOps IP for key vault access.
# Note use of /32 for CIDR = 1 IP address. If we omit this Azure adds it anyway and fails to match on the IP when attempting removal.
echo "Azure DevOps IP address '$buildAgentIpAddress' is blocked. Attempting to whitelist..."
"$azcmd" keyvault network-rule add -n $keyVaultName --ip-address $buildAgentIpAddress/32
# Capture the IP address as an ADO variable, so that this can be undone in a later step
echo "##vso[task.setvariable variable=buildAgentIpAddress]$buildAgentIpAddress"
else
# We didn't find the IP address - are we already whitelisted?
secretValue=$(echo $secretOutput | grep -o "value")
if [[ -z "$secretValue" ]]; then
echo "Unexpected response from key vault whitelist request, json attribute 'value' not found. Unable to whitelist build agent - response was: '$secretOutput'"
exit 1
fi
fi
将IP添加到白名单的方法如下:
# Add agent IP to key vault white list
- task: AzureCLI@2
displayName: Add Azure DevOps build agent IP to key vault white list
inputs:
azureSubscription: ${{ parameters.azureSubscription }}
scriptType: bash
scriptLocation: scriptPath
scriptPath: $(Pipeline.Workspace)/server-build-tools/drop/build-scripts/whitelist-agent-for-key-vault.sh
arguments: '$(keyVaultName)'
这是我从白名单中删除IP的方法
- task: AzureCLI@2
displayName: Remove Azure DevOps build agent IP from key vault white list
condition: always()
inputs:
azureSubscription: ${{ parameters.azureSubscription }}
scriptType: bash
scriptLocation: scriptPath
scriptPath: $(Pipeline.Workspace)/server-build-tools/drop/build-scripts/whitelist-agent-for-key-vault.sh
arguments: '-r "$(keyVaultName)" "$(buildAgentIpAddress)"'
Caveats:
- 这依赖于 Azure DevOps 服务主体已被授予对密钥保管库机密的读取访问权限
- 更换
knownSecret
值与您已知秘密的名称
Bonus:
这可以使用 Azure CLI 运行,并已在适用于 Linux 的 Azure DevOps 和在 Git bash 下运行的 Windows 构建代理上进行了测试。通常,如果您尝试在 Git Bash 中运行“az”命令,您只会收到“找不到命令”。我想要一个适用于两者的解决方案,因为由于 Linux / Windows 构建要求,我需要共享代码。