10

I'm building a set of scripts and templates to create a Service Fabric cluster in Azure. I've got a script that creates a key vault and a self-signed certificate and successfully uploads it to the vault. Another script creates the cluster but it's hitting an error at the point that the certs are linked to the VMs. The error from the New-AzureRmResourceGroupDeployment command is:-

{
  "status": "Failed",
  "error": {
  "code": "ResourceDeploymentFailure",
  "message": "The resource operation completed with terminal provisioning state 'Failed'.",
  "details": [
    {
      "code": "KeyVaultAccessForbidden",
      "message": "Key Vault https://VAULT-NAME.vault.azure.net/secrets/clusterCert/SECRET-ID either has not been enabled for deployment or the vault id provided, /subscriptions/SUBSCRIPTION-ID/resourceGroups/jg-sf/providers/Microsoft.KeyVault/vaults/VAULTNAME, does not match the Key Vault's true resource id."
    }
  ]
}

}

VAULT-NAME, SUBSCRIPTION-ID and SECRET-ID are all correct. The key vault has been created with the parameter "enabledForTemplateDeployment": true, as evidenced in the following screenshot.

Key vault config screenshot

My scripts and templates can be seen in GitHub - https://github.com/goochjs/azure-testbed.

How do I diagnose the issue?

Thanks,

Jeremy.

Jeremy Gooch
  • 939
  • 4
  • 16
  • 28
  • I suspect it might have to do with the second part of that message - can you share the template? SF clusters are a little odd in that they ask for a resourceId and a uri and they have to match precisely. – bmoore-msft Dec 14 '17 at 03:49
  • Thanks for the reply. I've added a link to source code above (and here -> https://github.com/goochjs/azure-testbed) – Jeremy Gooch Dec 14 '17 at 11:13
  • See if you can deploy this template with your keyvault... that should tell you at least which is the source of the problem: https://github.com/Azure/azure-quickstart-templates/tree/master/service-fabric-cluster-ubuntu-5-node-1-nodetype – bmoore-msft Dec 15 '17 at 23:45
  • In my case I was missing those flags that the OP has provided in the screenshot – alamoot Mar 23 '22 at 18:05

1 Answers1

7

How do you create the key vault, I use the following script to create key vault and get CertificateURL.

New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroup -Location $Location -sku standard -EnabledForDeployment 

#Creates a new selfsigned cert and exports a pfx cert to a directory on disk
$NewCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName $CertDNSName 
Export-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -Cert $NewCert
Import-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -CertStoreLocation Cert:\LocalMachine\My 

#Reads the content of the certificate and converts it into a json format
$Bytes = [System.IO.File]::ReadAllBytes($CertFileFullPath)
$Base64 = [System.Convert]::ToBase64String($Bytes)

$JSONBlob = @{
    data = $Base64
    dataType = 'pfx'
    password = $Password
} | ConvertTo-Json

$ContentBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONBlob)
$Content = [System.Convert]::ToBase64String($ContentBytes)

#Converts the json content a secure string
$SecretValue = ConvertTo-SecureString -String $Content -AsPlainText -Force

#Creates a new secret in Azure Key Vault
$NewSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName -SecretValue $SecretValue -Verbose

#Writes out the information you need for creating a secure cluster
Write-Host
Write-Host "Resource Id: "$(Get-AzureRmKeyVault -VaultName $KeyVaultName).ResourceId
Write-Host "Secret URL : "$NewSecret.Id
Write-Host "Thumbprint : "$NewCert.Thumbprint

More information about this, please refer to this blog.

I suggest you could check your Resource Id format. The correct format is like /subscriptions/***************/resourceGroups/westus-mykeyvault/providers/Microsoft.KeyVault/vaults/shuisfsvault. You could create SF cluster on Azure Portal firstly.

If it still does not work, I suggest you could check your key vault, do you give enough permission to it?

enter image description here

Note: For test, you could give all permission to the user.

Community
  • 1
  • 1
Shui shengbao
  • 18,746
  • 3
  • 27
  • 45
  • Thanks for the reply. I've got a slightly different but comparable script for certificate and key vault creation, partly driven by being on Windows 7 so not all the cert creation goodies of Windows 10 are available. I've put the scripts and templates into GitHub -> https://github.com/goochjs/azure-testbed – Jeremy Gooch Dec 14 '17 at 11:15
  • You got it - it was the wrong format of the key vault's Resource Id. I was building it in code and it was referencing the wrong resource group within the path. Unfortunately, I'm now getting a different error (!) but this issue is resolved. – Jeremy Gooch Dec 14 '17 at 13:35