Azure Load Test is not recognized as a trusted resource to bypass Key Vault firewall

[cathalmchale]

Describe the bug
Azure Load Test can access Key Vault, only if setup to allow access from All public networks. If Key Vault chooses to limit public access to specific vnets, then Load Test can no longer fetch secrets. This is true even when the "allow trusted Microsoft services" option is selected:

To Reproduce
Steps to reproduce the behavior:

1. Setup two Key Vault instances - one that allows access to all public networks and one that limits access to specific vnets.
2. Add an access policy to both Key Vault instances to allow Secret Get - use the same managed identity in both cases.
3. Create a Load Testing instance. Configure the Identity as User managed and set the identity to the same added to the Key Vault access policy.
4. Create a test that injects a secret. I set the value to the URL of the more private Key Vault secret.
5. Run the test - observe that when leave the value pointiing to the more private Key Vault, it fails to start the test, but when change the value to the more public Key Vault it runs successfully.

Expected behavior
Should be able to access the more private Key Vault - either by being able to specify a vnet when creating the Load Testing instance, or by having Azure Load Testing be a "trusted Microsoft resource" that can still gain access to the Key Vault.

Screenshots
Private vs Public Key Vault. As in steps to repro, the access policies in both Key Vaults are the same, using the same identity. Then the same Load Test is used to trigger a success and a failure, varying only the URL of the Key Vault secret.

The more private Key Vault looks like this:

Additional context
Have tried with both User managed and System managed identities.

AB#1665865

[Sachid26]

Hi @cathalmchale ..currently this is not supported by the service, and we have added this to our backlog. We will report back once we implement this.

[karkavi980]

Hi @Sachid26 - any update on this feature? Is there any work around?

[karkavi980]

Hi - Any update on this feature? Is there any work around?

[markditianquin]

Bump... Any update?

[denhsu]

Bump... Any update?

[ffurrer2]

Bump... Any update?

[BlauerPulli]

Bump... Any update?

[sulabh-msft]

Azure load testing service now supporting Azure keyvaults behind a firewall or a private virtual network.

https://learn.microsoft.com/en-nz/azure/load-testing/how-to-parameterize-load-tests#create-a-secret-in-azure-key-vault

If you restricted access to your Azure key vault by a firewall or virtual networking, follow these steps to grant access to trusted Azure services.

[sulabh-msft]

@Nagarjuna-Vipparthi Can we close the issue now?

[karkavi980]

Sure

…

On Mon, Apr 8, 2024, 10:47 Sulabh Upadhyay ***@***.***> wrote: @Nagarjuna-Vipparthi <https://github.com/Nagarjuna-Vipparthi> Can we close the issue now? — Reply to this email directly, view it on GitHub <#117 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AED5OBLQQ6BYGURWCAHDFGLY4LJ27AVCNFSM6AAAAAARXEFFFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBTGMZDENBYGA> . You are receiving this because you commented.Message ID: ***@***.***>

[Nagarjuna-Vipparthi]

Requested feature is now supported. Closing the issue.