Azure Pipeline Scaler with Key Vault Trigger Authentication

[haithamshahin333]

Hello,

Any way someone can clarify how exactly the personalAccessToken manifests itself in the scaled job agent? I'm getting an "AZP_TOKEN" missing error, but I'm not sure if the personalAccessToken parameter from the trigger authentication which is using Azure Key Vault is being injected as an environment variable.

https://keda.sh/docs/2.15/scalers/azure-pipelines/

Key Vault Trigger Authentication:

azureKeyVault:                                          # Optional.
  vaultUri: {key-vault-address}                         # Required.
  credentials:                                          
    clientId: {azure-ad-client-id}                      
    clientSecret:                                      
      valueFrom:                                        
        secretKeyRef:                                  
          name: {k8s-secret-with-azure-ad-secret}     
          key: {key-within-the-secret}                  
    tenantId: {azure-ad-tenant-id}                      
  cloud:                                            
    type: AzureUSGovernmentCloud.
  secrets:                                             
  - parameter:  personalAccessToken 
    name: pat                      

[JorTurFer]

Hello,

I'm not sure if the personalAccessToken parameter from the trigger authentication which is using Azure Key Vault is being injected as an environment variable.

No, KEDA doesn't modify your definition, so you have to include all the envs that your workload uses (you can mount Key vault secrets as envs using tools like secrets csi driver)

[haithamshahin333]

Thank you @JorTurFer for your help on this! To confirm my understanding, the only place where this trigger authentication parameter is leveraged is in giving KEDA the ability to authenticate to DevOps for Queue/Job information - so there is still value in defining the trigger authentication resource above.

However, it is not injected into the scaled job/object even though we reference it in the template for the scaled job/object.

If that explanation is correct, I'll mark this as answered and move forward with supplying the PAT into the scaled job manually. Thank you in advance!

[Bionic711]

I have been working with @haithamshahin333 on this. It appears that KEDA is launching the container before the CSI driver loads and thus the env declaration says the env does not load. Is there a way to instruct KEDA to wait for the CSI driver?

[JorTurFer]

KEDA just creates the job, so nothing to do on KEDA side. I have a setup where KEDA spins up jobs with CSI secret driver, and it should work given that the CSI secret driver handles the process to inject the volume with the secret in the pod