Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Error when deploying ARM template that includes certificate stored in key vault

I am attempting to deploy an ARM template from Release Management that includes a 'Microsoft.Web/certificates' resource which references a certificate stored in a key vault. This works fine when the key vault exists in the same subscription as the resource group I am deploying to. When the key vault exists in a different subscription however, I receive the below error.

Resource Microsoft.Web/certificates 'cert name' failed with message

{
    "Code": "BadRequest",
    "Message": "The parameter Properties.KeyVaultId has an invalid value.",
    "Target": null,
    "Details": [
    {
      "Message": "The parameter Properties.KeyVaultId has an invalid value."
    },
    {
      "Code": "BadRequest"
    },
    { 
      "ErrorEntity": {
        "Code": "BadRequest",
        "Message": "The parameter Properties.KeyVaultId has an invalid value.",
        "ExtendedCode": "51008",
        "MessageTemplate": "The parameter {0} has an invalid value.",
        "Parameters": [
          "Properties.KeyVaultId"
        ],
        "InnerErrors": null
      }
    }
    ], 
    "Innererror": null
}'

The certificate resource is defined as below in my template.

    {
        "type":"Microsoft.Web/certificates",
        "name": "SomeName",
        "location": "East US 2",
        "apiVersion": "2016-03-01",
        "properties": {
            "keyVaultId": "/subscriptions/<subscriptionId>/resourceGroups/<vault resource group>/providers/Microsoft.KeyVault/vaults/<vault name>",
            "keyVaultSecretName": "SecretName"                
        }            
    }

I am using the Azure Resource Group Deployment Task in VSTS to deploy the resource group. The task is configured to use an endpoint with a service principal that has the below permissions set in Azure:

  • Key Vault Contributor Role on the resource group containing the key vault.
  • Get secret permissions on the key vault

The Microsoft.Azure.WebSites principal was granted Get permissions on the key vault secrets.

The key vault also has the 'Enable access to Azure Resource Manager for template deployment' option enabled. The certificate was uploaded to the key vault using powershell, not via the portal.

Am I missing something here?

Thanks

like image 202
ogoodwin Avatar asked Nov 30 '16 03:11

ogoodwin


2 Answers

I think I found the cause of this issue. Apparently, when a resource group has been created, you cannot change the secret name. If you do so, the error above will be thrown.

If you want to change the secret name, you need to delete the resource group and redeploy everything.

Have you been changing the secret name in the ARM template, without removing the full resource group in the azure portal?

like image 107
Identity Avatar answered Oct 24 '22 15:10

Identity


You can get this if you have referenced a certificate (secret) in keyvault on a previous deployment and the certificate has been removed or replaced in keyvault. The new deployment will fail with the above error(51008). An example could be if you have migrated a secret from another keyvault store.

This is not the same as versions of the same certificate. New versions will work fine.

Replace the secret with the original in keyvault or delete the secret and add a new one.

like image 25
OutKa5t Avatar answered Oct 24 '22 15:10

OutKa5t