I am trying to create an Azure Service Fabric cluster using PowerShell script described here: https://docs.microsoft.com/en-us/azure/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-cert
The script creates everything (including Key Vault) in one step by calling New-AzureRmServiceFabricCluster command.
After setting the variables and running the script in PowerShell I am getting this warning and then exception:
WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set a
ccess policies.
New-AzureRmServiceFabricCluster : 10:00:24 AM - System.AggregateException: One or more errors occurred. --->
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.Commands.ServiceFabric.Commands.ServiceFabricClusterCertificateCmdlet.CreateSelfSignedCertificate(String subjectName, String
keyVaultUrl, String& thumbprint, CertificateBundle& certificateBundle, String& outputFilePath)
---> (Inner Exception #0) Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()<---
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmServiceFabricCluster], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
New-AzureRmServiceFabricCluster : One or more errors occurred.
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmServiceFabricCluster], AggregateException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
In the portal when browsing the resource group I can see the KeyVault actually created, though nothing else.
This is really strange because I don't have a chance to setup access policy before the Key Vault is created.
I tried creating the Access Policy on the created KeyVault and ran the script again - the same error.
I am sure that I am the owner of the subscription and have all admin rights. Does anybody know what's going on here?