I am attempting to deploy an ARM template from Release Management that includes a 'Microsoft.Web/certificates' resource which references a certificate stored in a key vault. This works fine when the key vault exists in the same subscription as the resource group I am deploying to. When the key vault exists in a different subscription however, I receive the below error.
Resource Microsoft.Web/certificates 'cert name' failed with message
{
"Code": "BadRequest",
"Message": "The parameter Properties.KeyVaultId has an invalid value.",
"Target": null,
"Details": [
{
"Message": "The parameter Properties.KeyVaultId has an invalid value."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"Code": "BadRequest",
"Message": "The parameter Properties.KeyVaultId has an invalid value.",
"ExtendedCode": "51008",
"MessageTemplate": "The parameter {0} has an invalid value.",
"Parameters": [
"Properties.KeyVaultId"
],
"InnerErrors": null
}
}
],
"Innererror": null
}'
The certificate resource is defined as below in my template.
{
"type":"Microsoft.Web/certificates",
"name": "SomeName",
"location": "East US 2",
"apiVersion": "2016-03-01",
"properties": {
"keyVaultId": "/subscriptions/<subscriptionId>/resourceGroups/<vault resource group>/providers/Microsoft.KeyVault/vaults/<vault name>",
"keyVaultSecretName": "SecretName"
}
}
I am using the Azure Resource Group Deployment Task in VSTS to deploy the resource group. The task is configured to use an endpoint with a service principal that has the below permissions set in Azure:
- Key Vault Contributor Role on the resource group containing the key vault.
- Get secret permissions on the key vault
The Microsoft.Azure.WebSites principal was granted Get permissions on the key vault secrets.
The key vault also has the 'Enable access to Azure Resource Manager for template deployment' option enabled. The certificate was uploaded to the key vault using powershell, not via the portal.
Am I missing something here?
Thanks