-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"The key vault can exist in a different subscription than the resource group you are deploying to." may be incorrect. #7650
Comments
@tonybendis Thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review. |
@tonybendis - I was not able to duplicate this error. This article describes how to get a value from Key Vault and pass that value as a parameter to a template. When deploying the resource, the parameter value would only contain the secret without any indication of the subscription ID that it came from. Were you instead trying to the set the certificate URL in VM resource? |
@tonybendis - if you are still having a problem with Key Vault and templates, feel free to reopen this issue. Otherwise, we'll close it. #please-close |
#please-close |
@tonybendis We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue. |
Hi , I get the same error ! ERROR The KeyVault 'enjnjnj-vn' does not exist in the Resource |
I also get this error:
When I try to deploy a VMSS with an ARM template. I am trying to use the |
#please-open |
@canutza - this article describes the scenario of using a key vault secret in a parameter file. In that case, the key vault does not need to be in the same subscription. Your scenario involves directly referencing a key vault from a VM property. That scenario is described at Set up Key Vault for virtual machines in Azure Resource Manager. |
for Secrets cross-subscription seems to work fine. For Certificates however it fails with: "The SubscriptionId:"subIdVm" of the request must match the SubscriptionId "subIdKv" contained Template: "osProfile": { |
@JulianHayward I am also seeing this error when I try to use the secret identifier URL of the SSL cert in a different subscription and different resource group. I am able to use the same key vault to pass in secrets though. |
Same issue here, we deploy a Vmss with certificate reference in the osprofile which points to a keyvault in anohter owned subscription. |
I'm facing the same issue, we have a central keyvault in a central subscription that holds our certificate, but ARM deployment for a VMSS in a different subscription fails to get the certificate from that keyvault with the same error message. I've also tried adding the managed identity of the VMSS to the target keyvault but that yields the same issue. |
#please-open for certificate reference in the osprofile which points to a keyvault in different subscription. |
#please-open |
The osprofile-based cert ref does not support KV auto-rotation today as far as I know?!? |
It's not about auto rotation. You cannot reference certificates from akv in different subscription (not vmss subscription) in os profile. |
just ran into this #please-open |
#please-open |
@wi5nia - does your issue involve directly referencing a key vault from a VM property? |
We are deploying a Service Fabric cluster which uses of course VMSS and have an ARM template which references a Azure KeyVault in different subscription because we want to have one centrally managed by IT AKV which is integrated with DigiCert. This way we can centrally purchase certificates, distribute them and renew. |
@wi5nia - the statement about the key vault existing in a different subscription applies to getting secrets in parameter file. It doesn't apply to referencing a certificate from a template. I have added a note that tries to clarify that difference. It should get published later today. |
Is there an actual resolution to this?
results in:
|
Same problem, this needs a fix - please. Using With ApplicationCertificateId being defined as: Obviously, the template works fine when the KV and service being deployed are in the same subscription. |
Facing the exact same issue . Below is my ARM which refers to vault in different subscription -
|
When the VM subscription is not the same as the Key Vault's subscription , we get error "The SubscriptionId: ... of the request must match the SubscriptionId ... contained in the Key Vault Id".
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: