Error when deploying ARM template that includes certificate stored in key vault

Question

I am attempting to deploy an ARM template from Release Management that includes a 'Microsoft.Web/certificates' resource which references a certificate stored in a key vault. This works fine when the key vault exists in the same subscription as the resource group I am deploying to. When the key vault exists in a different subscription however, I receive the below error.

Resource Microsoft.Web/certificates 'cert name' failed with message

{
    "Code": "BadRequest",
    "Message": "The parameter Properties.KeyVaultId has an invalid value.",
    "Target": null,
    "Details": [
    {
      "Message": "The parameter Properties.KeyVaultId has an invalid value."
    },
    {
      "Code": "BadRequest"
    },
    { 
      "ErrorEntity": {
        "Code": "BadRequest",
        "Message": "The parameter Properties.KeyVaultId has an invalid value.",
        "ExtendedCode": "51008",
        "MessageTemplate": "The parameter {0} has an invalid value.",
        "Parameters": [
          "Properties.KeyVaultId"
        ],
        "InnerErrors": null
      }
    }
    ], 
    "Innererror": null
}'

The certificate resource is defined as below in my template.

    {
        "type":"Microsoft.Web/certificates",
        "name": "SomeName",
        "location": "East US 2",
        "apiVersion": "2016-03-01",
        "properties": {
            "keyVaultId": "/subscriptions/<subscriptionId>/resourceGroups/<vault resource group>/providers/Microsoft.KeyVault/vaults/<vault name>",
            "keyVaultSecretName": "SecretName"                
        }            
    }

I am using the Azure Resource Group Deployment Task in VSTS to deploy the resource group. The task is configured to use an endpoint with a service principal that has the below permissions set in Azure:

Key Vault Contributor Role on the resource group containing the key vault.
Get secret permissions on the key vault

The Microsoft.Azure.WebSites principal was granted Get permissions on the key vault secrets.

The key vault also has the 'Enable access to Azure Resource Manager for template deployment' option enabled. The certificate was uploaded to the key vault using powershell, not via the portal.

Am I missing something here?

Thanks

Have you tried to deploy using Azure PowerShell instead of the Azure Resource Group Deployment Task in VSTS? — juvchan, Jan 18 '17 at 13:54
I am getting the same issue. Is it purely because you are not allowed to do this cross-subscription? — oatsoda, Aug 23 '17 at 10:18

score 2 · Accepted Answer · answered Feb 23 '17 at 10:23

2

I think I found the cause of this issue. Apparently, when a resource group has been created, you cannot change the secret name. If you do so, the error above will be thrown.

If you want to change the secret name, you need to delete the resource group and redeploy everything.

Have you been changing the secret name in the ARM template, without removing the full resource group in the azure portal?

answered Feb 23 '17 at 10:23

Identity

1,303
1
16
40

1

I can confirm this, but we only had to remove the resource referencing the key vault secret. We were moving to a new vault, so the keyVaultId was different. Once we deleted the existing certificate that referenced key vault, we were able to deploy without issue. – ogoodwin Oct 09 '17 at 17:44

score 1 · Answer 2 · answered Apr 26 '20 at 22:59

You can get this if you have referenced a certificate (secret) in keyvault on a previous deployment and the certificate has been removed or replaced in keyvault. The new deployment will fail with the above error(51008). An example could be if you have migrated a secret from another keyvault store.

This is not the same as versions of the same certificate. New versions will work fine.

Replace the secret with the original in keyvault or delete the secret and add a new one.

Error when deploying ARM template that includes certificate stored in key vault

2 Answers2