1
votes

I am trying to install certificate from a KeyVault under a different subscription.

Currently my VMSS and KeyVault are under same subscription. I want to add one more certificate from a KeyVault which is located in a different subscription.

Below is the part of the VMSS resource template where I am trying to add the certificate secret URL.

"secrets": [
  {
    "sourceVault": {
      "id": "/subscriptions/xxxx/resourceGroups/resgroupname/providers/Microsoft.KeyVault/vaults/KV1"
    },
    "vaultCertificates": [
      {
        "certificateUrl": "certificate1 secret URL",
        "certificateStore": "My"
      }
    ]
  },
  {
    "sourceVault": {
      "id": "/subscriptions/yyyy/resourceGroups/resgroupname/providers/Microsoft.KeyVault/vaults/KV2"
    },
    "vaultCertificates": [
      {
        "certificateUrl": "certificate2 secret URL",
        "certificateStore": "My"
      }
]

While updating I am getting below error.

{ "error": { "code": "InvalidParameter", "message": "The SubscriptionId:"xxxx" of the request must match the SubscriptionId "yyyy" contained in the Key Vault Id.", "target": "sourceVault.id" } }

My VMSS is under subscription xxxx and Managed Identity is enabled and the resource ID is added in the access policy of the Key Vault which is in different subscription. Is it possible to achieve this? Please let me know if I can add more details.

1
I have encountered the same problem in the past. The documentation indicates it is possible to reference a Key Vault in a different subscription but it wouldn't work for me. Others have reported the same. github.com/MicrosoftDocs/azure-docs/issues/7650Stringfellow
Does this answer your question? Scale set using keyvault in another regionStringfellow

1 Answers

0
votes

No, not according to another question and answer I found. https://stackoverflow.com/a/39778536/2778027

The response appears to be from someone at Microsoft Azure.