I am trying to deploy an ARM template from Release Management, which includes a Microsoft.Web / certificates resource that refers to a certificate stored in a key store. This works great when the key store exists in the same subscription as the resource group to which I am deploying. However, when the key store exists in another subscription, I get the following error.
Resource Microsoft.Web / Certificates Certificate Name with Message
{ "Code": "BadRequest", "Message": "The parameter Properties.KeyVaultId has an invalid value.", "Target": null, "Details": [ { "Message": "The parameter Properties.KeyVaultId has an invalid value." }, { "Code": "BadRequest" }, { "ErrorEntity": { "Code": "BadRequest", "Message": "The parameter Properties.KeyVaultId has an invalid value.", "ExtendedCode": "51008", "MessageTemplate": "The parameter {0} has an invalid value.", "Parameters": [ "Properties.KeyVaultId" ], "InnerErrors": null } } ], "Innererror": null }'
Certificate resource is defined below in my template.
{ "type":"Microsoft.Web/certificates", "name": "SomeName", "location": "East US 2", "apiVersion": "2016-03-01", "properties": { "keyVaultId": "/subscriptions/<subscriptionId>/resourceGroups/<vault resource group>/providers/Microsoft.KeyVault/vaults/<vault name>", "keyVaultSecretName": "SecretName" } }
I am using the Azure Resource Group Deployment task in VSTS to deploy a resource group. The task is configured to use the endpoint with the director of the service, which has the following permissions set in Azure:
- The key store role in the resource group that contains the key store.
- Get secret permissions for the keystore
Principal Microsoft.Azure.WebSites was granted permissions to access the secret keys of the store.
Key storage also includes the option "Enable access to the Azure Resource Manager interface for template deployment." The certificate was uploaded to the keystore using powershell, not through the portal.
Did I miss something?
thanks