[CoE Starter Kit - QUESTION] Documentation around Azure Secret usage

[MichaelRoth42]

What is your question?

My user account is Power Platform Administrator, has the “Key Vault Secrets User” role for the key vault, as well as the “Reader” role inherited from the resource group the key vault is in.

As soon as I try to update the core components, I get the error message
“Solution "Center of Excellence - Core Components" failed to import: User is not authorized to read secrets from [...] ” (Error Code 8004801E)

This feels like a bug, but I guess I'm just missing something important. I ran out of ideas, can somebody help me out here?

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.2

What app or flow are you having the issue with?

importing the solution

[Jenefer-Monroe]

We have seen a few people see something like this for initial setup. I believe the solution was that you need to leave this particular env var type (secret types) blank until after import.
Can you try to remove the secret, upgrade, and readd? Does that work?

[MichaelRoth42]

I already imported the solution with the Global Admin account. That worked without any issues, but is there any documentations about requirements regarding the role in azure?

[Jenefer-Monroe]

I dont have any at the moment but I can use this bug to track as a documentation item.
Can you confirm before I do so, are you now unblocked?

[MichaelRoth42]

Yes, it worked.

If you could track a doc item, that would be great. As always, I volunteer for any kind of test 😇

[Jenefer-Monroe]

Wonderful new. Thank you!

[Jenefer-Monroe]

Documentation to include

• Permissions needed in Azure
• Setup steps in Azure
• Setup steps to integrate with Power Platform Env Vars

[wiskaso]

Has there been a change to the requirements of using Environment variables backed by Azure Key Vault secrets? As of late, when importing solutions that contain this type of component I'm getting the error above. I'm getting that via the ALM pipeline templates, through the UI I am able to still import the solutions successfullly.

[Jenefer-Monroe]

No there has not, if you are experiencing that it sounds like a bug in the ALM Accelerator, please post a bug for them.
Thank you!

[tkudya]

I am facing the same problem using Azure Keyvault when setting up Collect audit log data using an HTTP Call.

the account can access the keyvault, if i go to the keyvault directly.

[Jenefer-Monroe]

Hello. Unfortunately this documentation requirement has not yet made it into our priority list, we are a very small team. You will need to contact product support to get assistance on how to use secret type env vars at the moment if you are unable to do so from their existing documentation.

[robertfinkley]

Hi I'm having the same issue as the original posting. Even using the Global Administrator I am unable to get the Core Components upgraded. I created a SandBox environment and copied our CoE environment to it and did not run into this issue. Any help would be appreciated!

[Jenefer-Monroe]

Please contact product support, the key vault integration is just something we use, so if its not working it would be a product issue or product configuration. They will be able to assist you in using Azure Key Vaule and env vars.

[poidah]

I have the same error with version 4.8 of the Core Components.

No matter what I do I ca not set the value for the environment variable called - "Azure Key Vault Secret". I have tried in the setup wizard and I have tied leaving it blanks and attempted to set it later as well...

This is after following all Microsoft documentation I could find... :(

The user I am installing with has:

• The Power Platform Adminrole
• Key Vault Reader permissions to the Azure Vault
• Key Vault Secrets User permissions to the Azure Vault
• Can view the key and the secret in the brwoser (Azure portal)

Microsoft.PowerPlatform is registered undr "Subscriptions" in the Azure Portal

I can't change any of the flows or apps in the solution as it is "managed".

How was this tested? As it looks like there is a dealbreaker right from the start...

[tkudya]

I believe i have found the solution

In the documentation: https://learn.microsoft.com/en-us/power-apps/maker/data-platform/EnvironmentVariables.

Your account will need/ or account that will be saving the secret: Key Vault Secrets User permissions
and
Dataverse Service Principal Application will require access as well with the Key Vault Secrets User permissions to the keyvault.

[Jenefer-Monroe]

thanks so much for sharing your investigation findings!

[manuelap-msft]

we already link to https://learn.microsoft.com/en-us/power-apps/maker/data-platform/EnvironmentVariables from our documentation. I made a change to specifically call out "review the pre-requisites" from this article.

[CoEStarterKitBot]

@MichaelRoth42 This has been fixed in the latest release. Please install the latest version of the toolkit following the instructions for installing updates. Note that if you do not remove the unmanaged layers as described there you will not receive updates from us.