"The key vault can exist in a different subscription than the resource group you are deploying to." may be incorrect.

[tonybendis]

When the VM subscription is not the same as the Key Vault's subscription , we get error "The SubscriptionId: ... of the request must match the SubscriptionId ... contained in the Key Vault Id".

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 70505efb-d7ac-0dbc-6b57-2ce6a2a78ef2
• Version Independent ID: 0d5a06ac-190e-78d2-c031-ca9d5c09347f
• Content: Key Vault secret with Azure Resource Manager template
• Content Source: articles/azure-resource-manager/resource-manager-keyvault-parameter.md
• Service: azure-resource-manager
• GitHub Login: @tfitzmac
• Microsoft Alias: tomfitz

[femsulu]

@tonybendis Thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review.

[tfitzmac]

@tonybendis - I was not able to duplicate this error. This article describes how to get a value from Key Vault and pass that value as a parameter to a template. When deploying the resource, the parameter value would only contain the secret without any indication of the subscription ID that it came from. Were you instead trying to the set the certificate URL in VM resource?

[tfitzmac]

@tonybendis - if you are still having a problem with Key Vault and templates, feel free to reopen this issue. Otherwise, we'll close it.

#please-close

[tfitzmac]

#please-close

[TravisCragg-MSFT]

@tonybendis We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

[nitinjain999]

Hi ,

I get the same error ! ERROR The KeyVault 'enjnjnj-vn' does not exist in the Resource
Group 'test_gos' for the Subscription

[mihaiiorga]

I also get this error:

Resource Microsoft.Compute/virtualMachineScaleSets 'VMScaleSetWin' failed with message '{
"error": {
     "code": "InvalidParameter",
     "message": "The SubscriptionId:\"00000000-0000-0000-000-000000000000\" of the request must match the SubscriptionId \"11111111-1111-1111-1111-111111111111\" contained in the Key Vault Id.",
     "target": "sourceVault.id"
   }
 }'

When I try to deploy a VMSS with an ARM template. I am trying to use the osProfile.secrets.sourceVault.id from a different subscription.
Is there a permission issue maybe?

[mihaiiorga]

#please-open

[tfitzmac]

@canutza - this article describes the scenario of using a key vault secret in a parameter file. In that case, the key vault does not need to be in the same subscription. Your scenario involves directly referencing a key vault from a VM property. That scenario is described at Set up Key Vault for virtual machines in Azure Resource Manager.

[JulianHayward]

for Secrets cross-subscription seems to work fine. For Certificates however it fails with:

"The SubscriptionId:"subIdVm" of the request must match the SubscriptionId "subIdKv" contained
in the Key Vault Id."

Template:

"osProfile": {
"computerName": "[parameters('virtualMachineName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"secrets": [
{
"sourceVault": {
"id": "[concat('/subscriptions/', 'subIdKv', '/resourceGroups/', 'rgkeyvault', '/providers/Microsoft.KeyVault/vaults/', 'testvaultxxx')]"
},
"vaultCertificates": [
{
"certificateUrl": "https://testvaultxxx.vault.azure.net:443/secrets/JHTESTCERT/6206a8d1438c4d378ca7aa69c31a7f2f",
"certificateStore": "TESTCERTSTORE"
}
]
}
]
},

[mwhisler]

@JulianHayward I am also seeing this error when I try to use the secret identifier URL of the SSL cert in a different subscription and different resource group. I am able to use the same key vault to pass in secrets though.

[sebdau]

Same issue here, we deploy a Vmss with certificate reference in the osprofile which points to a keyvault in anohter owned subscription.
Can you please triage this and update the status?

[Mortana89]

I'm facing the same issue, we have a central keyvault in a central subscription that holds our certificate, but ARM deployment for a VMSS in a different subscription fails to get the certificate from that keyvault with the same error message. I've also tried adding the managed identity of the VMSS to the target keyvault but that yields the same issue.

[jijohn14]

#please-open for certificate reference in the osprofile which points to a keyvault in different subscription.

[jijohn14]

#please-open

[sebdau]

The osprofile-based cert ref does not support KV auto-rotation today as far as I know?!?

[jijohn14]

It's not about auto rotation. You cannot reference certificates from akv in different subscription (not vmss subscription) in os profile.

[LukeDearden]

just ran into this

#please-open

[wi5nia]

#please-open
We are having the same issue

[tfitzmac]

@wi5nia - does your issue involve directly referencing a key vault from a VM property?

[wi5nia]

We are deploying a Service Fabric cluster which uses of course VMSS and have an ARM template which references a Azure KeyVault in different subscription because we want to have one centrally managed by IT AKV which is integrated with DigiCert. This way we can centrally purchase certificates, distribute them and renew.

[tfitzmac]

@wi5nia - the statement about the key vault existing in a different subscription applies to getting secrets in parameter file. It doesn't apply to referencing a certificate from a template. I have added a note that tries to clarify that difference. It should get published later today.
#please-close

[fuocor]

Is there an actual resolution to this?
I have the following, where the first vault is in a different subscription.

          "osProfile": {
            "adminPassword": "[parameters('adminPassword')]",
            "adminUsername": "[parameters('adminUsername')]",
            "computernamePrefix": "[variables('vmNodeType0Name')]",
            "secrets": [
              {
                "sourceVault": {
                  "id": "[parameters('sharedVaultResourceId')]"
                },
                "vaultCertificates": [
                  {
                    "certificateStore": "[parameters('certificateStoreValue')]",
                    "certificateUrl": "[parameters('wildCardCertificateUrl')]"
                  }
                ]
              },
              {
                "sourceVault": {
                  "id": "[parameters('clusterVaultResourceId')]"
                },
                "vaultCertificates": [
                  {
                    "certificateStore": "[parameters('certificateStoreValue')]",
                    "certificateUrl": "[parameters('chorusCertificateUrl')]"
                  },
                  {
                    "certificateStore": "[parameters('certificateStoreValue')]",
                    "certificateUrl": "[parameters('rootCACertificateUrl')]"
                  }
                ]
              }
            ]
          },

results in:

{
    "status": "Failed",
    "error": {
        "code": "InvalidParameter",
        "target": "sourceVault.id",
        "message": "The SubscriptionId:\"<id>\" of the request must match the SubscriptionId \"<sharedId>\" contained in the Key Vault Id."
    }
}```

[LeKaido]

Same problem, this needs a fix - please.
Trying to deploy CloudService ES to one subscription while pulling the cert from another subscription. And, it's not working..
The cloud service SubscriptionId 'xxxxx' must match the key vault SubscriptionId 'yyyyy'

Using
"osProfile": { "secrets": [ { "sourceVault": { "id": "[resourceId(parameters('KeyVaultSubscr'), parameters('KeyVaultResGrp'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultCrts'))]" }, "vaultCertificates": [ { "certificateUrl": "[reference(variables('ApplicationCertificateSecretId'), '2018-02-14').secretUriWithVersion]" } ] } ] }

With ApplicationCertificateId being defined as:
"ApplicationCertificateSecretId": "[ResourceId(parameters('KeyVaultSubscr'), parameters('KeyVaultResGrp'), 'Microsoft.KeyVault/vaults/secrets', parameters('KeyVaultCrts'), parameters('ApplicationCertificateSecret'))]"

Obviously, the template works fine when the KV and service being deployed are in the same subscription.

[kathuriamadhur]

Facing the exact same issue . Below is my ARM which refers to vault in different subscription -
```
"osProfile": {
"adminPassword": "[parameters('adminPassword')]",
"adminUsername": "[parameters('adminUsername')]",
"computernamePrefix": "[parameters('vmNodeType0Name')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultValue')]"
},
"vaultCertificates": [
{
"certificateStore": "[parameters('certificateStoreValue')]",
"certificateUrl": "[parameters('certificateUrlValue')]"
}

When i deploy my service fabric cluster i get the below error - 
![image](https://user-images.githubusercontent.com/71304310/138214498-4738dc1b-2189-48ac-b57d-e7a93f5a6976.png)