AL-Go icon indicating copy to clipboard operation
AL-Go copied to clipboard
verified publisher icon microsoft

KeyVault access in PR pipeline

Open mazhelez opened this issue 3 months ago • 0 comments

Discussed in https://github.com/microsoft/AL-Go/discussions/1946

Originally posted by jwikman October 2, 2025 We've got several AppSource apps that uses KeyVault for our secrets.

Now I need to configure AL-Go to connect to the KeyVaults when running tests.

I've followed the instructions in https://github.com/microsoft/AL-Go/blob/main/Scenarios/EnableKeyVaultForAppSourceApp.md to create the secrets. I then configured .AL-Go/settings.json in my repo, created a PR and run the PR workflow.

I can see that the secrets are successfully read since I get this output in the Build step: Secrets: {"keyVaultCertificateUrl":"***","keyVaultCertificatePassword":"***","keyVaultClientId":"***","gitHubPackagesContext":"***","AZURE_CREDENTIALS":"***","gitSubmodulesToken":"***","licenseFileUrl":"","applicationInsightsConnectionString":"","-gitSubmodulesToken":""}

But for some reason, these secrets are not used when creating the container.

This is written as parameters being used when creating the container:

Parameters
    _____                               _
   |  __ \                             | |
   | |__) |_ _ _ __ __ _ _ __ ___   ___| |_ ___ _ __ ___
   |  ___/ _` | '__/ _` | '_ ` _ \ / _ \ __/ _ \ '__/ __|
   | |  | (_| | | | (_| | | | | | |  __/ |_  __/ |  \__ \
   |_|   \__,_|_|  \__,_|_| |_| |_|\___|\__\___|_|  |___/
  
  Pipeline name                   Pull Request Build
... removed some lines...
  KeyVaultCertPfxFile             Not specified
  KeyVaultCertPfxPassword         Not specified
  KeyVaultClientId

And the code also behaves as if it cannot connect to our KeyVault.

What am I missing here? ­ƒñö

Edit: I managed to get the KeyVault access to work locally, using the localDevEnv.ps1 script. But to get that to work, I had to add the setting keyVaultName, since that logic was guarded with that being set. This was not documented, from what I can find. The docs for keyVaultName says When using Azure KeyVault for the secrets used in your workflows, the KeyVault name needs to be specified in this setting if it isn't specified in the AZURE_CREDENTIALS secret., and we are using AZURE_CREDENTIALS with the KeyVault name in it.

But even with keyVaultName, it does not work in a workflow.

Since it works in local dev env, it should be correctly set up, shouldn't it?

Internal work item: AB#609311

mazhelez avatar Oct 07 '25 14:10 mazhelez