8

I am trying to add access policies to a Keyvault using ARM deployment. Multiple access policies are being deployed at the same time (using copy Arm method and nested templates), and some of them (not always the same ones when I retrigger the deployment) are failing with the following error:

{
  "error": {
    "code": "ConflictError",
    "message": "A conflict occurred to prevent the operation from completing."
  }
}

The error message is not really descriptive, is there any way to have more information about what went wrong?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Lucas
  • 1,171
  • 9
  • 21
  • Have you found a solution to this yet? I am running in to the same problem. I tried the debug options below and also got nothing meaningful out of the error messages. – JTester Jun 08 '19 at 23:32

5 Answers5

4

You also get the error message (A conflict occurred to prevent the operation from completing) if you are trying to create a key, into a KeyVault that have a deleted key with the same name (KeyVault has soft-delete turned on).

Rolf
  • 1,219
  • 2
  • 13
  • 23
3

During deployment, you can request that additional information is logged during a deployment. In powershell, set the DeploymentDebugLogLevel parameter to All.

New-AzResourceGroupDeployment `
  -Name exampledeployment `
  -ResourceGroupName examplegroup `
  -TemplateFile c:\Azure\Templates\storage.json `
  -DeploymentDebugLogLevel All

Then you can examine the request content or the response content.

(Get-AzResourceGroupDeploymentOperation `
-DeploymentName exampledeployment `
-ResourceGroupName examplegroup).Properties.response `
| ConvertTo-Json

For more details regarding troubleshoot deployment errors, you can refer to https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-common-deployment-errors

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • 1
    Sorry for the delay to answer, I tried what you said but like @user2770499, the logs didn't reveal anything useful... – Lucas Apr 29 '19 at 21:37
  • @LucasGolven Were you ever able to get this figured out? I'm having the same issue. – Austin_G Jul 25 '19 at 12:54
3

I had the same error, I guess that it is because you are trying to modify the same item "key vault" in parallel. This change fixed my problem:

"mode": "serial"

"copy": {
    "name": "<name-of-loop>",
    "count": <number-of-iterations>,
    "mode": "serial" <or> "parallel"
}
Tom
  • 46
  • 3
  • I took another approach to fix my issue by bulking all the permissions in one resource, but I am almost certain that this approach would work too. – Lucas May 14 '20 at 20:44
1

I met the same issue. I am not sure what the root cause for this problem and it cannot be reproduced stably. But I guess that it may be because I create multiple access policies at the same time and actually this is a concurrent problem. Maybe you can try to add the access policies sequentially.

donnyxia
  • 136
  • 5
  • 1
    I was also facing similar issue. Changed Copy Loop Mode from 'Parallel' (which is default) to 'Serial' to fix the issue. – callee.args Jul 21 '19 at 14:23
1

I also run into this error while trying to deploy multiple Key Vaults simultaneously with access policies. Switching to sequential deployment didn't help in my case. The access policies are deployed as separate objects in the ARM template. I finally figured that I had forgot the dependency on the parent resource from the access policy:

"dependsOn": [
            "[resourceId('Microsoft.KeyVault/vaults', parameters('My_Key_Vault_name'))]"
        ]

Ah, the joy of notorious Microsoft error messages...

Lazer
  • 501
  • 4
  • 14