I want to create an Azure DevTest labs VM via pipeline process . However, when I start to deploy, it fails on the step "Create Azure DevTest Lab VM" and it seems to be caused by my key vault is missing. But after check my key vault, my secret is store in it and should be no problem with the permission.
Not sure the message "A secret store was not set up for the user." means, does it mean that there's a problem with the association between my account and the key vault? How can I verify this? Thanks.
Agent job: Create DevTest Labs VM
Win7entx64.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"newVMName": {
"defaultValue": "win7entx64",
"type": "String"
},
"labName": {
"defaultValue": "my_lab",
"type": "String"
},
"size": {
"defaultValue": "Standard_A3",
"type": "String"
},
"userName": {
"defaultValue": "trendkj",
"type": "String"
},
"password": {
"type": "securestring",
"defaultValue": "[[[VmPassword]]"
}
},
"variables": {
"labSubnetName": "[concat(variables('labVirtualNetworkName'), 'Subnet')]",
"labVirtualNetworkId": "[resourceId('Microsoft.DevTestLab/labs/virtualnetworks', parameters('labName'), variables('labVirtualNetworkName'))]",
"labVirtualNetworkName": "[concat('Dtl', parameters('labName'))]",
"vmId": "[resourceId ('Microsoft.DevTestLab/labs/virtualmachines', parameters('labName'), parameters('newVMName'))]",
"vmName": "[concat(parameters('labName'), '/', parameters('newVMName'))]"
},
"resources": [
{
"type": "Microsoft.DevTestLab/labs/virtualmachines",
"apiVersion": "2018-10-15-preview",
"name": "[variables('vmName')]",
"location": "westus",
"properties": {
"labVirtualNetworkId": "[variables('labVirtualNetworkId')]",
"notes": "Windows 7 Enterprise",
"galleryImageReference": {
"offer": "windows-7",
"publisher": "microsoftwindowsdesktop",
"sku": "win7-enterprise",
"osType": "Windows",
"version": "latest"
},
"size": "[parameters('size')]",
"userName": "[parameters('userName')]",
"password": "[parameters('password')]",
"isAuthenticationWithSshKey": false,
"labSubnetName": "[variables('labSubnetName')]",
"disallowPublicIpAddress": true,
"storageType": "Standard",
"allowClaim": false
}
}
],
"outputs": {
"labVMId": {
"type": "String",
"value": "[variables('vmId')]"
}
}
}
My secret in the Key Vault:
My Access Policy in the Key Vault
According to your reference to key valut in arm template "defaultValue": "[[[VmPassword]]", you should use the secret saved in DevTest Lab. Page as shown below.
If you want to use the secret in the Key vault page as shown in the question, the reference in the arm template should be as follows:
"sqlAdministratorLoginPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/25abd97b-44a3-4092-8337-xxxx/resourceGroups/mykeyvault/providers/Microsoft.KeyVault/vaults/cmkvtest"
},
"secretName": "sqlpassword"
}
}
About this, please refer to "3.ADD KEY VAULT SECRETS TO YOU ARM TEMPLATES" part of this artifact.
It has been a time since this was posted.
I am facing the same issue. The secret that you are setting in the Devtest lab is only visible for the user creating it.
The api gets more insights abaot the secret. For getting the secret is the following:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DevTestLab/labs/{labName}/users/{userName}/secrets/{name}?api-version=2018-09-15
As you see there is also the username in the path.
So if you have UserA and UserB, UserA sets a secret in DTL lab, when UserB goes in My secrets it will not see the secret of UserA. He can even create a secret with the same name with a different value.
It is a shame that you can not have common secrets for all the users in a DevtestLab (maybe there is but i did not find it yet).
In other words you need to log in into the DTL with the user defined in the azure connection from Azure Devops and create the secret manually. Or create it from the pipeline under his context.
Reference:
https://learn.microsoft.com/en-us/rest/api/dtl/secrets/get
https://learn.microsoft.com/en-us/rest/api/dtl/secrets/create-or-update
Are you missing a ']'?
[[[VmPassword]] --> [[[VmPassword]]]
Related
ive been banging my head against the wall about this one as i cannot figure out how to get the StorageAccountName and Key to be passed to the template from a parameters file.
i am struggling to find any clear guide or examples of this...
what were trying to achieve is this.
we need Sophos AV to be installed as part of a VM deployment via the arm template.
when the storage account details are hardcoded into the template file the arm template works and sophos.ps1 (which holds the install stuff runs)
im very close to finishing a custom deployment script for us but im stuck on this thing as I dont want sensitive information like the storage account key hardcoded into the template.
the snippet of the template file below has the storageaccountname and key hardcoded into the template.
updated
added defaultvalue for storageAccountResourceGroupName
added storageAccountResourceGroupName to storageAccountName
updated storageAccountName
template.json
"parameters": {
"storageAccountResourceGroupName":{
"type": "string",
"defaultValue": "RSG2"
"storageAccountName": {
"type": "string",
"defaultValue": "filesstgacct"
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('virtualMachineName'), '/MyCustomScriptExtension')]",
"apiVersion": "2015-05-01-preview",
"location": "[parameters('location')]",
"dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/',parameters('virtualMachineName'))]" ],
"tags": "[parameters('tags')]",
"properties": { "publisher": "Microsoft.Compute",
"type": "CustomScriptExtension", "typeHandlerVersion": "1.3", "autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [ "https://storage-account-name.blob.core.windows.net/scripts/sophos.ps1"
]
},
"protectedSettings": {
"commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File sophos.ps1",
"storageAccountName": "[parameters('storageAccountName')]",
"storageAccountKey": "[listKeys(resourceid(parameters['storageAccountResourceGroupName'], 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"
}
}
}
can the storageaccountname and key be stored in the parameters file?
if yes then how do i link the 2 together?
Yes. I believe the reason you're not able to read the value is because you're not specifying the parameters properly. Please try something like:
"parameters": {
"storageAccountName": {
"type": "string",
"defaultValue": "storage-account-name"
},
"storageAccountKey": {
"type": "string",
"defaultValue": "storage-account-key"
}
}
alternatively is it possible to refences the storage account key
directly from the template/parameter file meaning the key is never
hardcoded?
Actually this is the recommended way that you do not hardcode the storage account key in your template file. What you can do is fetch the key dynamically using listKeys template function. All you have to do is provide the complete resource id of your storage account and API version.
You would probably use something like:
"storageAccountKey": "[listKeys(resourceid(resourceGroup().name, 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"
and ARM template processor will automatically fetch the account key for your storage account.
Please i am getting the below error message upon sending the below ARM template to azure. what i am trying to do is to add key to an existing key vault on azure (under by subscription). The namespace provisioning should be in charge of storing the key in the Key Vault
Error:
05:12:00 "error": {
05:12:00 "message": "Encryption properties cannot be specified on creation of a namespace. They must be specified in a subsequent update. CorrelationId: dd69feae-5ba9-4c7e-9599-673493d31748",
05:12:00 "code": "BadRequest"
05:12:00 }
Request body:
"resources": [
{
"type": "Microsoft.EventHub/namespaces",
"apiVersion": "2018-01-01-preview",
"name": "[variables('eventHubNamespaceName')]",
"location": "[parameters('location')]",
"identity":{
"type":"SystemAssigned"
},
"sku": {
"name": "[parameters('eventHubSku')]",
"tier": "[parameters('eventHubSku')]",
"capacity": 1
},
"properties": {
"isAutoInflateEnabled": false,
"maximumThroughputUnits": 0,
"clusterArmId":"[resourceId('Microsoft.EventHub/clusters', parameters('eventHubName'))]",
"encryption":{
"keySource":"Microsoft.KeyVault",
"keyVaultProperties":[
{
"keyName":"[variables('eventHubNamespaceName')]",
"keyVaultUri":"[parameters('keyVaultUri')]"
}
]
}
}
},
{
"type": "Microsoft.EventHub/namespaces/eventhubs",
"apiVersion": "2017-04-01",
"name": "[concat(variables('eventHubNamespaceName'), '/', variables('eventHubName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.EventHub/namespaces', variables('eventHubNamespaceName'))]"
],
"properties": {
"messageRetentionInDays": "[parameters('messageRetentionInDays')]",
"partitionCount": "[parameters('partition_count')]"
}
}
]
It seems like you're trying to provision the Event Hub namespace and also set encryption properties in the same ARM template at the same time. Hence the error.
I would suggest performing these tasks in the following order:
First, create an Event Hubs namespace with a managed service identity.
Next, create a Key vault and grant the service identity access to the Key vault.
And then, update the Event Hubs namespace with the Key vault information (key/value).
A more detailed walkthrough is given in the Event Hubs documentation for the same.
I have two premium Service bus instances deployed manually through the azure portal. They don't have geo-recovery alias configured and the service bus instances have been operational for about a year.
Now, I'm trying automate the deployment process of these service bus instances and also add a georecovery alias resource to it as follows:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusQueueName": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"serviceBusLocation": {
"type": "string"
},
"sku": {
"type": "object",
"defaultValue": "Standard"
},
"serviceBusTopicName": {
"type": "string"
},
"serviceBusSubscriptionName": {
"type": "string"
},
"isAliasEnabled": {
"type": "bool"
},
"isQueueCreationEnabled": {
"type": "bool"
},
"aliasName": {
"type": "string"
},
"partnerNamespace": {
"type": "string"
}
},
"variables": {
"defaultSASKeyName": "RootManageSharedAccessKey",
"authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]",
"sbVersion": "2017-04-01"
},
"resources": [
{
"apiVersion": "2018-01-01-preview",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/Namespaces",
"location": "[parameters('serviceBusLocation')]",
"sku": {
"name": "[parameters('sku').name]",
"tier": "[parameters('sku').tier]",
"capacity": "[parameters('sku').capacity]"
},
"properties": {
"zoneRedundant": false
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('aliasName')]",
"type": "disasterRecoveryConfigs",
"condition": "[parameters('isAliasEnabled')]",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"partnerNamespace": "[parameters('partnerNamespace')]"
}
}
]
}
]
}
I'm using the same template to deploy the primary and secondary instances separately. Note that the disasterRecoveryConfigs resource will only be deployed when it's the primary instance.
This template successfully deploys the secondary namespace, but the primary namespace deployment fails with the following error:
Unable to freeze secondary namespace before creating pairing, this is
probably because secondary namespace is not empty.
Which is correct i.e. the secondary namespace has a couple of topics/subscriptions and queues already created. I don't want to delete them and just want to pair the primary and secondary namespaces.
How can this be done?
I had a similar issue with the Service Bus Geo-Recovery ARM Template. I read the exception closely; its state that the secondary namespace is not empty means we have to delete the topic and queue from the secondary namespace, then run the template again. It will work and create the topic and queue again based on the primary namespace.
But if you run the template a second time, you will get a different exception, which is that the secondary namespace cannot be updated (since it’s in geo-pairing). It’s strange, but by design, you cannot update the secondary namespace while it’s in Geo Pairing, and even if you remove Geo Pairing, your secondary namespace should be empty without any instances such as Topic, Queue, etc.
How to overcome this?
Lets consider, now I wanted to add the Topic or Queue in existing deployment by using the ARM template then, you will ran into the issue when your template is in the pipeline or anywhere and needs to run multiple times and update the existing primary namespace.
1. Quick Fix (one time only second time manually again you have to do the following steps)
Login to the Azure Portal
Go to the your primary Service bus Namespace
Click on the Geo-Recovery option under setting section
At the right hand side at the top find the option break pairing and
click on it.
It will break the pairing & if you not follow this step you will get the exception, Secondary Namespaces can not be updated
Next, delete the secondary Namespace instance or Namespace and run
the pipeline. it will work.
If you not follow above step then you will get error unable to freeze secondary Namespace.
The above is the one time fix, if you run template again you have to repeat above process manually again.
2. Automation using CI-CD DevOps Pipeline or CLI or PowerShell
The most of the time ARM templates runs in the pipeline and there is option to break the pairing using the Azure CLI or PowerShell. You should consider the adding two task in the YAML file
First Task, to break the Pairing
Azure CLI
az servicebus georecovery-alias break-pair --resource-group myresourcegroup --namespace-name primarynamespace --alias myaliasname
PowerShell
Set-AzureRmServiceBusGeoDRConfigurationBreakPair -ResourceGroupName $resourcegroup -Name $aliasname -Namespace $primarynamespace
Second Task, to delete the secondary namespace instances (topic,
Queue) or delete entire Namespace.
PowerShell
Remove-AzServiceBusNamespace -ResourceGroup Default-ServiceBus-WestUS -NamespaceName SB-Example1
To remove Topic or Queue instead of Namespace, refer the following documentation.
Azure Service Bus Management Common PowerShell commands
Also if you are running template locally, you can add small script or CLI command prior to run your template.
Does it affect on ConnectionString or Data after deleting Secondary Namespace or instances?
Its valid question, what will happens to the connection string or data since some clients are already using it, The answer is connection string wont be change if we delete the secondary namespace because in Geo recovery scenario we are supposed to be use alias connection string so there is no impact on existing customers.
Regarding the second question about the data, the answer is secondary namespace wont store any data it has only the meta data, meaning in the case of failover secondary namespace start working.
So during the deployment deleting secondary namespace instances or namespace wont impact on anything.
Is there any better option?
Might be you are thinking, why should I follow such a long process but the above problem because of the Geo Recovery design (service bus, event hub, event grid etc.) and there is no other option.
I hope Microsoft will come up with some better approach in the future.
If you try to create a pairing between a primary namespace with a private endpoint and a secondary namespace without a private endpoint, the pairing will fail.
You could refer to this template allows you to configure Service Bus Geo-disaster recovery alias.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceNamePrimary": {
"type": "string",
"metadata": {
"description": "Name of Service Bus namespace"
}
},
"serviceBusNamespaceNameSecondary": {
"type": "string",
"metadata": {
"description": "Name of Service Bus namespace"
}
},
"aliasName": {
"type": "string",
"metadata": {
"description": "Name of Geo-Recovery Configuration Alias "
}
},
"locationSecondaryNamepsace": {
"type": "string",
"defaultValue": "South Central US",
"metadata": {
"description": "Location of Secondary namespace"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location of Primary namespace"
}
}
},
"variables": {
"defaultSASKeyName": "RootManageSharedAccessKey",
"defaultAuthRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceNamePrimary'), variables('defaultSASKeyName'))]"
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusNamespaceNameSecondary')]",
"type": "Microsoft.ServiceBus/Namespaces",
"location": "[parameters('locationSecondaryNamepsace')]",
"sku": {
"name": "Premium",
"tier": "Premium",
"capacity": 4
},
"tags": {
"tag1": "value1",
"tag2": "value2"
}
},
{
"apiVersion": "2017-04-01",
"type": "Microsoft.ServiceBus/Namespaces",
"dependsOn": [ "[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceNameSecondary'))]" ],
"name": "[parameters('serviceBusNamespaceNamePrimary')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium",
"tier": "Premium",
"capacity": 4
},
"tags": {
"tag1": "value1",
"tag2": "value2"
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('aliasName')]",
"type": "disasterRecoveryConfigs",
"dependsOn": [ "[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceNamePrimary'))]" ],
"properties": {
"partnerNamespace": "[resourceId('Microsoft.ServiceBus/Namespaces', parameters('serviceBusNamespaceNameSecondary'))]"
}
}
]
}
],
"outputs": {
"NamespaceDefaultConnectionString": {
"type": "string",
"value": "[listkeys(variables('defaultAuthRuleResourceId'), '2017-04-01').primaryConnectionString]"
},
"DefaultSharedAccessPolicyPrimaryKey": {
"type": "string",
"value": "[listkeys(variables('defaultAuthRuleResourceId'), '2017-04-01').primaryKey]"
}
}
}
I am going to configure created azure VM (for example, install role, initialize new hdd disk etc). I see that there is a new feature Microsoft.Resources/deploymentScripts in azure ARM. As per documantation I created Managed Identity in my subscription, give Contributor permissions to newly created Managed Identity, on Subscription level. then I developed below ARM template using Microsoft.Resources/deploymentScripts feature. code pasted below. I want to paste this code into my ARM template for VM deployment.Question is if I will be able to use this approach to perform scripts like: installing role on the OS level, like IIS or WSUS, configure HDD etc...
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string",
"defaultValue": "'John Dole'"
},
"utcValue": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "runPowerShellInlineWithOutput",
"location": "westeurope",
"kind": "AzurePowerShell",
"identity": {
"type": "userAssigned",
"userAssignedIdentities": {
"/subscriptions/SubID/resourceGroups/RGname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MI-ARMdeployment": {}
}
},
"properties": {
"forceUpdateTag": "[parameters('utcValue')]",
"azPowerShellVersion": "3.0",
"scriptContent": "
$output = 'hello'
Write-Output $output",
"arguments": "",
"timeout": "PT1H",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
]
}
Well, yes (with some hacks), but its not meant for that. Its meant for provisioning\configuring Azure level resources, not things inside of the VM.
You have DSC extension and script extension for that (available for both windows\linux).
I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.
I have 2 service principals => One for my app, One for deployment.
The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.
I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.
Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).
However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
My ARM template looks like this:
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
"keyVaultSecretName":"kv-certificate-test",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:
$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"
This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "wa-test1",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
"displayName": "wa-test1"
},
"properties": {
"name": "wa-test1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "asp-test",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [],
"tags": {
"displayName": "appServicePlan"
},
"properties": {
"name": "asp-test",
"sku": "Free",
"workerSize": "Small",
"numberOfWorkers": 1
}
}
]
}
I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:
Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
-ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
Reference:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html
I tried all the answers but they didn't work. Here's what worked for me:
setting the access permissions for the two service principals on the key vault:
Read more here:
https://devsdaily.com/key-vault-failed-to-sync-the-certificate-the-service-does-not-have-access-to-key-vault/
I was not able to add the policies through the Set-AzureRmKeyVaultAccessPolicy command due to an error in the console.
I was however able to resolve the issue through the Azure Web Interface by opening the KeyVault Access Control(IAM) and adding Key Vault Reader and Key Vault Secrets User roles to Microsoft.Azure.Websites
I wrote the same answer here as well.