1

I found this documentation https://devblogs.microsoft.com/aspnet/announcing-an-easier-way-to-use-latest-certificates-from-key-vault/ and some other ARM references to add a Keyvault extension to the VMSS inorder to acheive certificate auto-rotation. But, when I try to do a deployment, the extension just times out without giving any useful error message. For this to work are there any constraints, like say, the Key vault and the VMSS need to be on the same resource group ?? Does anyone know what might be wrong with my template.

Here's my extension: 

{ 
   "name": "KeyVaultForWindows", 
   "location": "[variables('location')]", 
   "properties": { "publisher": "Microsoft.Azure.KeyVault", 
   "type": "KeyVaultForWindows", "typeHandlerVersion": "0.0", 
   "autoUpgradeMinorVersion": true, 
   "settings": 
   { 
      "secretsManagementSettings": { 
          "pollingIntervalInS": "60", 
          "requireInitialSync": true, 
          "certificateStoreName": "MY", 
          "certificateStoreLocation": "LocalMachine", 
          "observedCertificates": ["https:///secrets/"] }
       } 
    }
}```
sai guru datt manchikanti
  • 129
  • 1
  • 11
  • Do you happen to be using this extension with Service Fabric? You can find extension logs under this directory: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.Edp.KeyVaultForWindows\... – Rich Randall Mar 25 '19 at 23:06
  • Thanks for your response. Its not service fabric. I'm using aks-engine to create a kubernetes cluster this extension is for the VM instances of the VMSS. Will take a look at the logs in that location once. – sai guru datt manchikanti Mar 25 '19 at 23:52
  • Hi Rich, Can we add accesspolicy to a keyvault that's in a different resource group ? – sai guru datt manchikanti Mar 26 '19 at 01:53
  • 1
    The VM Extension can access any vault, regardless or region, resource group..., as long as the access policy on that Vault grants permission to the MSI identity that the extension is using. – Rich Randall Mar 26 '19 at 20:03
  • I can see that it works when I add an accesspolicy to keyvault in the same resource group, it works as expected. But when I try to do it for a keyvault in different resource group its not able to find the keyvault and when we explicitly give the keyvualt accesspolicy resource id it fails saying it expects the resource id with current resource group name – sai guru datt manchikanti Mar 27 '19 at 19:55
  • It worked with nested deployments ! – sai guru datt manchikanti Mar 28 '19 at 17:56

0 Answers0