To resolve Azure Key Vault references within App Configuration, the service connection must also be granted permission to read secrets in the referenced Azure Key Vaults.
Parameters of the task:
Azure Subscription: Select the service endpoint for the Azure Subscription where the Azure App Configuration instance is created. To configure a new service connection, select the Azure subscription from the list and click Authorize. If your subscription is not listed or if you want to use an existing Service Principal, you can setup an Azure service connection using the Manage link.
App Configuration Name: Provide the name of the App Configuration from which the key-values need to be pulled.
Key Filter: The filter can be used to select what key-values are requested from Azure App Configuration. A value of * will select all key-values. Reference for key-values query.
Label: Specifies which label should be used when selecting key-values from App Configuration. If no label is provided then key-values with the null label will be retrieved. The following characters are not allowed: ,*.
Trim Key Prefix: Specifies one or more prefixes that should be trimmed from App Configuration keys before setting them as variables. Multiple prefixes can be separated by a new-line character.
Use key-values in subsequent tasks
The key-values that are fetched from Azure App Configuration are set as environment variables. The key of the environment variable is the key of the key-value that is retrieved from Azure App Configuration.
For example, if a subsequent task runs a powershell script, it could consume a key-value with the key 'myBuildSetting' like this:
And the value will be printed to the console.
How do I compose my configuration from multiple keys and labels?
There are times when configuration may need to be composed from multiple labels, for example, default and dev. Multiple App Configuration tasks may be used in one pipeline to achieve this. The key-values fetched by a task in a later step will supersede any values from previous steps. In the aforementioned example, a task can be used to select key-values with the default label while a second task can select key-values with the dev label. The keys with the dev label will override the same keys with the default label.
If the task fails to retrieve expected key-values from Azure App Configuration, debug logs can be enabled by setting the pipeline variable system.debug to true.
Error message: Access to 'https://example.azconfig.io' was denied. Please ensure the required role assignment is made for the identity running this task.
Version 2.* and above require the service principal used by the task to be a part of the "Azure App Configuration Data Reader" or "Azure App Configuration Data Owner" roles for the target App Configuration instance. Version 1.* requires the "Contributor" role instead.
Error message: Access to 'https://example.vault.azure.net/secrets/secretName' was denied. Please ensure the required role assignment is made for the identity running this task.
Please connect the service connection to target Key Vault by follow step Authorize service connection.