Issue with KeyVault reference in ARM template - azure

I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.
I have 2 service principals => One for my app, One for deployment.
The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.
I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.
Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).
However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
My ARM template looks like this:
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
"keyVaultSecretName":"kv-certificate-test",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:
$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"
This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "wa-test1",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
"displayName": "wa-test1"
},
"properties": {
"name": "wa-test1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "asp-test",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [],
"tags": {
"displayName": "appServicePlan"
},
"properties": {
"name": "asp-test",
"sku": "Free",
"workerSize": "Small",
"numberOfWorkers": 1
}
}
]
}

I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:
Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
-ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
Reference:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

I tried all the answers but they didn't work. Here's what worked for me:
setting the access permissions for the two service principals on the key vault:
Read more here:
https://devsdaily.com/key-vault-failed-to-sync-the-certificate-the-service-does-not-have-access-to-key-vault/

I was not able to add the policies through the Set-AzureRmKeyVaultAccessPolicy command due to an error in the console.
I was however able to resolve the issue through the Azure Web Interface by opening the KeyVault Access Control(IAM) and adding Key Vault Reader and Key Vault Secrets User roles to Microsoft.Azure.Websites
I wrote the same answer here as well.

Related

Add keys to an existing keyvault in azure using ARM template

Please i am getting the below error message upon sending the below ARM template to azure. what i am trying to do is to add key to an existing key vault on azure (under by subscription). The namespace provisioning should be in charge of storing the key in the Key Vault
Error:
05:12:00 "error": {
05:12:00 "message": "Encryption properties cannot be specified on creation of a namespace. They must be specified in a subsequent update. CorrelationId: dd69feae-5ba9-4c7e-9599-673493d31748",
05:12:00 "code": "BadRequest"
05:12:00 }
Request body:
"resources": [
{
"type": "Microsoft.EventHub/namespaces",
"apiVersion": "2018-01-01-preview",
"name": "[variables('eventHubNamespaceName')]",
"location": "[parameters('location')]",
"identity":{
"type":"SystemAssigned"
},
"sku": {
"name": "[parameters('eventHubSku')]",
"tier": "[parameters('eventHubSku')]",
"capacity": 1
},
"properties": {
"isAutoInflateEnabled": false,
"maximumThroughputUnits": 0,
"clusterArmId":"[resourceId('Microsoft.EventHub/clusters', parameters('eventHubName'))]",
"encryption":{
"keySource":"Microsoft.KeyVault",
"keyVaultProperties":[
{
"keyName":"[variables('eventHubNamespaceName')]",
"keyVaultUri":"[parameters('keyVaultUri')]"
}
]
}
}
},
{
"type": "Microsoft.EventHub/namespaces/eventhubs",
"apiVersion": "2017-04-01",
"name": "[concat(variables('eventHubNamespaceName'), '/', variables('eventHubName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.EventHub/namespaces', variables('eventHubNamespaceName'))]"
],
"properties": {
"messageRetentionInDays": "[parameters('messageRetentionInDays')]",
"partitionCount": "[parameters('partition_count')]"
}
}
]
It seems like you're trying to provision the Event Hub namespace and also set encryption properties in the same ARM template at the same time. Hence the error.
I would suggest performing these tasks in the following order:
First, create an Event Hubs namespace with a managed service identity.
Next, create a Key vault and grant the service identity access to the Key vault.
And then, update the Event Hubs namespace with the Key vault information (key/value).
A more detailed walkthrough is given in the Event Hubs documentation for the same.

Azure Pipeline Key vault issue while creating DevTest Labs VM

I want to create an Azure DevTest labs VM via pipeline process . However, when I start to deploy, it fails on the step "Create Azure DevTest Lab VM" and it seems to be caused by my key vault is missing. But after check my key vault, my secret is store in it and should be no problem with the permission.
Not sure the message "A secret store was not set up for the user." means, does it mean that there's a problem with the association between my account and the key vault? How can I verify this? Thanks.
Agent job: Create DevTest Labs VM
Win7entx64.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"newVMName": {
"defaultValue": "win7entx64",
"type": "String"
},
"labName": {
"defaultValue": "my_lab",
"type": "String"
},
"size": {
"defaultValue": "Standard_A3",
"type": "String"
},
"userName": {
"defaultValue": "trendkj",
"type": "String"
},
"password": {
"type": "securestring",
"defaultValue": "[[[VmPassword]]"
}
},
"variables": {
"labSubnetName": "[concat(variables('labVirtualNetworkName'), 'Subnet')]",
"labVirtualNetworkId": "[resourceId('Microsoft.DevTestLab/labs/virtualnetworks', parameters('labName'), variables('labVirtualNetworkName'))]",
"labVirtualNetworkName": "[concat('Dtl', parameters('labName'))]",
"vmId": "[resourceId ('Microsoft.DevTestLab/labs/virtualmachines', parameters('labName'), parameters('newVMName'))]",
"vmName": "[concat(parameters('labName'), '/', parameters('newVMName'))]"
},
"resources": [
{
"type": "Microsoft.DevTestLab/labs/virtualmachines",
"apiVersion": "2018-10-15-preview",
"name": "[variables('vmName')]",
"location": "westus",
"properties": {
"labVirtualNetworkId": "[variables('labVirtualNetworkId')]",
"notes": "Windows 7 Enterprise",
"galleryImageReference": {
"offer": "windows-7",
"publisher": "microsoftwindowsdesktop",
"sku": "win7-enterprise",
"osType": "Windows",
"version": "latest"
},
"size": "[parameters('size')]",
"userName": "[parameters('userName')]",
"password": "[parameters('password')]",
"isAuthenticationWithSshKey": false,
"labSubnetName": "[variables('labSubnetName')]",
"disallowPublicIpAddress": true,
"storageType": "Standard",
"allowClaim": false
}
}
],
"outputs": {
"labVMId": {
"type": "String",
"value": "[variables('vmId')]"
}
}
}
My secret in the Key Vault:
My Access Policy in the Key Vault
According to your reference to key valut in arm template "defaultValue": "[[[VmPassword]]", you should use the secret saved in DevTest Lab. Page as shown below.
If you want to use the secret in the Key vault page as shown in the question, the reference in the arm template should be as follows:
"sqlAdministratorLoginPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/25abd97b-44a3-4092-8337-xxxx/resourceGroups/mykeyvault/providers/Microsoft.KeyVault/vaults/cmkvtest"
},
"secretName": "sqlpassword"
}
}
About this, please refer to "3.ADD KEY VAULT SECRETS TO YOU ARM TEMPLATES" part of this artifact.
It has been a time since this was posted.
I am facing the same issue. The secret that you are setting in the Devtest lab is only visible for the user creating it.
The api gets more insights abaot the secret. For getting the secret is the following:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DevTestLab/labs/{labName}/users/{userName}/secrets/{name}?api-version=2018-09-15
As you see there is also the username in the path.
So if you have UserA and UserB, UserA sets a secret in DTL lab, when UserB goes in My secrets it will not see the secret of UserA. He can even create a secret with the same name with a different value.
It is a shame that you can not have common secrets for all the users in a DevtestLab (maybe there is but i did not find it yet).
In other words you need to log in into the DTL with the user defined in the azure connection from Azure Devops and create the secret manually. Or create it from the pipeline under his context.
Reference:
https://learn.microsoft.com/en-us/rest/api/dtl/secrets/get
https://learn.microsoft.com/en-us/rest/api/dtl/secrets/create-or-update
Are you missing a ']'?
[[[VmPassword]] --> [[[VmPassword]]]

Failed to edit Key Vault API connection

I am using Azure Key Vault connector in the logic apps and for deploying the logic apps using ARM templates.
In the ARM templates I have added the Microsoft.Web/connections resource to include Key Vault API connection.
The API Connection gets successfully deployed, but when I open it on the portal to Authorize it I get an error :- "Failed to edit Api connection "keyvault"".
The resource template of the key vault looks like below :-
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_keyvault_name')]",
"location": "[parameters('location')]",
"properties": {
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', parameters('connections_keyvault_name'))]"
},
"displayName": "",
"customParameterValues": {}
}
}
The status of the API connection after deployment always shows "Error". However, I am using office365 API connection as well which works fine after deployment i.e. when I authorize it, it allows me to save it.
Can anyone please help me with this issue? This is blocking us to move this logic app to production.
Thanks,
Archana Kolte
You have to add the key vault name to connect to by setting the vaultName property under properties.paramaterValues.
Also, the end of the properties.api.id is the same for all Key Vault API Connections and should be /managedApis/keyvault.
Your ARM template would look something like this
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_keyvault_name')]",
"location": "[parameters('location')]",
"properties": {
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/keyvault')]"
},
"displayName": "",
"parameterValues": {
"vaultName": "<name-of-your-key-vault>"
}
}
}

How to grant VM access to Key Vault in the same ARM template

I'm attempting to create an ARM-template capable of provisioning a VM AND a Key Vault. The VM identity is set to type "SystemAssigned". See code snippet below:
...
"name": "[variables('VM1')]",
"type": "Microsoft.Compute/virtualMachines",
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2019-07-01",
...
I want to be able to give the VM permissions to access the secrets in the Vault. For this is need to retrieve the tenantID and ObjectID for accessPolicies. For the tenantID I'm using:
"tenantId": "[subscription().tenantId]",
Is there a similar way to reference the ObjectID for a VM that is being created in the same template?
Thanks!
You need to use a reference to get to the Managed Service Identity's object id (Principal Id) of the VM to assign access to KeyVault. See the documentation here.
I see KeyVault wants the TenantID and the Object ID.
The tenant you should already have in the template
"tenantId": "[subscription().tenantId]"
and the ObjectID is the PrincipalId as shown in the docs linked and example below.
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Authorization/roleAssignments",
"name": "[parameters('rbacGuid')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
"scope": "[resourceGroup().id]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}

Deploy azure key vault secret using arm template gives error

I want to create secret in my key vault using arm template. But I am getting the following error
Note: The key vault is already created, so its not needed in arm template
My resource to create this looks like below
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('azure_keyvault_name'), '/', parameters('secrets_test_name'))]",
"apiVersion": "2016-10-01",
"location": "centralus",
"scale": null,
"properties": {
"attributes": {
"enabled": true
}
},
"dependsOn": []
}
I get error: "Can not perform requested operation on nested resource. Parent resource 'azure_keyvault_name' not found."
But I dont need parent resource as its already created
what am I doing wrong?
Thanks
The problem was I was deploying arm template to a resource group which is different form the one which has key vault

Resources