I want to create secret in my key vault using arm template. But I am getting the following error
Note: The key vault is already created, so its not needed in arm template
My resource to create this looks like below
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('azure_keyvault_name'), '/', parameters('secrets_test_name'))]",
"apiVersion": "2016-10-01",
"location": "centralus",
"scale": null,
"properties": {
"attributes": {
"enabled": true
}
},
"dependsOn": []
}
I get error: "Can not perform requested operation on nested resource. Parent resource 'azure_keyvault_name' not found."
But I dont need parent resource as its already created
what am I doing wrong?
Thanks
The problem was I was deploying arm template to a resource group which is different form the one which has key vault
Related
Please i am getting the below error message upon sending the below ARM template to azure. what i am trying to do is to add key to an existing key vault on azure (under by subscription). The namespace provisioning should be in charge of storing the key in the Key Vault
Error:
05:12:00 "error": {
05:12:00 "message": "Encryption properties cannot be specified on creation of a namespace. They must be specified in a subsequent update. CorrelationId: dd69feae-5ba9-4c7e-9599-673493d31748",
05:12:00 "code": "BadRequest"
05:12:00 }
Request body:
"resources": [
{
"type": "Microsoft.EventHub/namespaces",
"apiVersion": "2018-01-01-preview",
"name": "[variables('eventHubNamespaceName')]",
"location": "[parameters('location')]",
"identity":{
"type":"SystemAssigned"
},
"sku": {
"name": "[parameters('eventHubSku')]",
"tier": "[parameters('eventHubSku')]",
"capacity": 1
},
"properties": {
"isAutoInflateEnabled": false,
"maximumThroughputUnits": 0,
"clusterArmId":"[resourceId('Microsoft.EventHub/clusters', parameters('eventHubName'))]",
"encryption":{
"keySource":"Microsoft.KeyVault",
"keyVaultProperties":[
{
"keyName":"[variables('eventHubNamespaceName')]",
"keyVaultUri":"[parameters('keyVaultUri')]"
}
]
}
}
},
{
"type": "Microsoft.EventHub/namespaces/eventhubs",
"apiVersion": "2017-04-01",
"name": "[concat(variables('eventHubNamespaceName'), '/', variables('eventHubName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.EventHub/namespaces', variables('eventHubNamespaceName'))]"
],
"properties": {
"messageRetentionInDays": "[parameters('messageRetentionInDays')]",
"partitionCount": "[parameters('partition_count')]"
}
}
]
It seems like you're trying to provision the Event Hub namespace and also set encryption properties in the same ARM template at the same time. Hence the error.
I would suggest performing these tasks in the following order:
First, create an Event Hubs namespace with a managed service identity.
Next, create a Key vault and grant the service identity access to the Key vault.
And then, update the Event Hubs namespace with the Key vault information (key/value).
A more detailed walkthrough is given in the Event Hubs documentation for the same.
I have an Azure template and am attempting to deploy two extra resource groups.
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-08-01",
"location": "eastus",
"name": "[variables('galleryResourceGroupName')]",
"properties": {}
},
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-08-01",
"location": "[resourceGroup().location]",
"name": "[variables('tempResourceGroupName')]",
"properties": {}
},
When I run this template, the result for these two resources is:
{
"message": "No HTTP resource was found that matches the request URI 'https://management.azure.com/subscriptions/59b4b...9074/resourcegroups/rgMain/providers/Microsoft.Resources/resourceGroups/rgTemp?api-version=2019-08-01'."
}
NotFound
The docs say you can deploy a resourceGroup:
https://learn.microsoft.com/en-us/azure/templates/microsoft.resources/2019-08-01/resourcegroups
But it is not working...
Any ideas why ?
This template is a subscription level template that creates a resource group. In this documentation you can find the ways to deploy this template.
From the URI you seem to be targeting another resource group. You can't create a resource group within another resource group. You need to target the subscription instead!
I am using Azure Key Vault connector in the logic apps and for deploying the logic apps using ARM templates.
In the ARM templates I have added the Microsoft.Web/connections resource to include Key Vault API connection.
The API Connection gets successfully deployed, but when I open it on the portal to Authorize it I get an error :- "Failed to edit Api connection "keyvault"".
The resource template of the key vault looks like below :-
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_keyvault_name')]",
"location": "[parameters('location')]",
"properties": {
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', parameters('connections_keyvault_name'))]"
},
"displayName": "",
"customParameterValues": {}
}
}
The status of the API connection after deployment always shows "Error". However, I am using office365 API connection as well which works fine after deployment i.e. when I authorize it, it allows me to save it.
Can anyone please help me with this issue? This is blocking us to move this logic app to production.
Thanks,
Archana Kolte
You have to add the key vault name to connect to by setting the vaultName property under properties.paramaterValues.
Also, the end of the properties.api.id is the same for all Key Vault API Connections and should be /managedApis/keyvault.
Your ARM template would look something like this
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_keyvault_name')]",
"location": "[parameters('location')]",
"properties": {
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/keyvault')]"
},
"displayName": "",
"parameterValues": {
"vaultName": "<name-of-your-key-vault>"
}
}
}
I am trying to create a KeyVault reference in the AppConfig section of an Azure web app.
The KeyVault reference references a secret which exists in a KeyVault which is part of a different resourcegroup and thus does not exist in the template.
according to the documentation of the reference() template function you should be able to reference a resource which is not part of the template as long as you provide the complete resourceId and the apiVersion.
But when I use that to reference the secret I keep getting a validation error which says:
Error: Code=InvalidTemplate; Message=Deployment template validation
failed: 'The resource
'Microsoft.KeyVault/vaults//secrets/' is not
defined in the template.
I followed this guide. for how to use KeyVault references in ARM templates.
Below code is a sample of a situation which does not work.
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "[variables('webAppName')]",
"location": "[resourceGroup().location]",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]",
"siteConfig": {
"alwaysOn": true,
"appSettings": [
{
"name": "<secretName>",
"value": "[concat('#Microsoft.KeyVault(SecretUri=', reference(variables('secretResourceId')).secretUriWithVersion, ')')]"
},
]
}
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]"
]
}
The variable is defined like this:
"variables": {
"secretResourceId": "[resourceId(subscription().subscriptionId, parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), 'secretName')]"
},
Is this something specific to references to KeyVault secrets?
As soon as I try the same but with a keyvault and secret inside the template it works perfectly fine.
The documentation for the reference function mentions that the second parameter to the function, apiVersion is required when the referring resource isn't provisioned within the same template.
So, instead of
reference(variables('secretResourceId')).secretUriWithVersion
something like this should work
reference(variables('secretResourceId'), '2018-02-14').secretUriWithVersion
I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.
I have 2 service principals => One for my app, One for deployment.
The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.
I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.
Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).
However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
My ARM template looks like this:
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
"keyVaultSecretName":"kv-certificate-test",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:
$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"
This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "wa-test1",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
"displayName": "wa-test1"
},
"properties": {
"name": "wa-test1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "asp-test",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [],
"tags": {
"displayName": "appServicePlan"
},
"properties": {
"name": "asp-test",
"sku": "Free",
"workerSize": "Small",
"numberOfWorkers": 1
}
}
]
}
I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:
Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
-ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
Reference:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html
I tried all the answers but they didn't work. Here's what worked for me:
setting the access permissions for the two service principals on the key vault:
Read more here:
https://devsdaily.com/key-vault-failed-to-sync-the-certificate-the-service-does-not-have-access-to-key-vault/
I was not able to add the policies through the Set-AzureRmKeyVaultAccessPolicy command due to an error in the console.
I was however able to resolve the issue through the Azure Web Interface by opening the KeyVault Access Control(IAM) and adding Key Vault Reader and Key Vault Secrets User roles to Microsoft.Azure.Websites
I wrote the same answer here as well.