Error deploying an ARM template that includes a certificate stored in key store

I am trying to deploy an ARM template from Release Management, which includes a Microsoft.Web / certificates resource that refers to a certificate stored in a key store. This works great when the key store exists in the same subscription as the resource group to which I am deploying. However, when the key store exists in another subscription, I get the following error.

Resource Microsoft.Web / Certificates Certificate Name with Message

{ "Code": "BadRequest", "Message": "The parameter Properties.KeyVaultId has an invalid value.", "Target": null, "Details": [ { "Message": "The parameter Properties.KeyVaultId has an invalid value." }, { "Code": "BadRequest" }, { "ErrorEntity": { "Code": "BadRequest", "Message": "The parameter Properties.KeyVaultId has an invalid value.", "ExtendedCode": "51008", "MessageTemplate": "The parameter {0} has an invalid value.", "Parameters": [ "Properties.KeyVaultId" ], "InnerErrors": null } } ], "Innererror": null }' 

Certificate resource is defined below in my template.

  { "type":"Microsoft.Web/certificates", "name": "SomeName", "location": "East US 2", "apiVersion": "2016-03-01", "properties": { "keyVaultId": "/subscriptions/<subscriptionId>/resourceGroups/<vault resource group>/providers/Microsoft.KeyVault/vaults/<vault name>", "keyVaultSecretName": "SecretName" } } 

I am using the Azure Resource Group Deployment task in VSTS to deploy a resource group. The task is configured to use the endpoint with the director of the service, which has the following permissions set in Azure:

  • The key store role in the resource group that contains the key store.
  • Get secret permissions for the keystore

Principal Microsoft.Azure.WebSites was granted permissions to access the secret keys of the store.

Key storage also includes the option "Enable access to the Azure Resource Manager interface for template deployment." The certificate was uploaded to the keystore using powershell, not through the portal.

Did I miss something?

thanks

+6
source share
1 answer

I think I found the cause of this problem. Apparently, when the resource group is created, you cannot change the secret name. If you do, an error will be thrown.

If you want to change the secret name, you need to delete the resource group and redeploy everything.

Did you change the secret name in the ARM template without deleting the full group of resources on the azure portal?

0
source

Source: https://habr.com/ru/post/1012745/


All Articles