failed to get certificate URL, retry(0) issue with winrm

[avishnyakov]

While building azure rm images, the following issue arises:

..failed to get certificate URL, retry(0)

Full workflow goes as following:

==> azure-arm: Running builder ...
    azure-arm: Creating Azure Resource Manager (ARM) client ...
==> azure-arm: Creating resource group ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> Location          : 'West US'
==> azure-arm:  -> Tags              :
==> azure-arm: Validating deployment template ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> DeploymentName    : 'pkrdp9c0p55hq20'
==> azure-arm: Deploying deployment template ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> DeploymentName    : 'pkrdp9c0p55hq20'
==> azure-arm: Getting the certificate's URL ...
==> azure-arm:  -> Key Vault Name        : 'pkrkv9c0p55hq20'
==> azure-arm:  -> Key Vault Secret Name : 'packerKeyVaultSecret'
==> azure-arm:  ...failed to get certificate URL, retry(0)
....
  ...failed to get certificate URL, retry(4)
 Failed to fetch secret from pkrkv9c0p55hq20/packerKeyVaultSecret, HTTP status code=403 (Forbidden)

• packer --version 0.12.0
• win10 + azure rm
• packer log - https://gist.github.com/avishnyakov/06443e90b71730ddac977bb5d3d17cb6
• packer tamples - https://gist.github.com/avishnyakov/c58061e52ee9015eacc4284b85f27f8c

Let me know if more info is needed.

[boumenot]

This is the real issue.

2016/11/24 14:26:21 packer.exe: 2016/11/24 14:26:21 Azure response status="403 Forbidden" method="GET"
request="https://pkrkvf60qlkygkl.vault.azure.net/secrets/packerKeyVaultSecret?api-version=2015-06-01"
x-ms-request-id="fe339437-9dce-4f1d-b91b-7b120bd4347a"
body="{"error":{"code":"Forbidden","message":"Access denied"}}"

The Azure builder did a poor job of making this clear. This is usually caused by setting the wrong ObjectID for your SPN.

azure ad sp show --spn <client_id>

[rickard-von-essen]

From the logs it looks like you are using 0.11.0.

…

On Nov 24, 2016 6:45 AM, "Anton VIshnyakov" ***@***.***> wrote: While building azure rm images, the following issue arises: ..failed to get certificate URL, retry(0) Full workflow goes as following: ==> azure-arm: Running builder ... azure-arm: Creating Azure Resource Manager (ARM) client ... ==> azure-arm: Creating resource group ... ==> azure-arm: -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20' ==> azure-arm: -> Location : 'West US' ==> azure-arm: -> Tags : ==> azure-arm: Validating deployment template ... ==> azure-arm: -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20' ==> azure-arm: -> DeploymentName : 'pkrdp9c0p55hq20' ==> azure-arm: Deploying deployment template ... ==> azure-arm: -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20' ==> azure-arm: -> DeploymentName : 'pkrdp9c0p55hq20' ==> azure-arm: Getting the certificate's URL ... ==> azure-arm: -> Key Vault Name : 'pkrkv9c0p55hq20' ==> azure-arm: -> Key Vault Secret Name : 'packerKeyVaultSecret' ==> azure-arm: ...failed to get certificate URL, retry(0) - packer --version 0.12.0 - win10 + azure rm - packer log - https://gist.github.com/avishnyakov/ 06443e90b71730ddac977bb5d3d17cb6 <https://gist.github.com/avishnyakov/06443e90b71730ddac977bb5d3d17cb6> - packer tamples - https://gist.github.com/avishnyakov/ c58061e52ee9015eacc4284b85f27f8c <https://gist.github.com/avishnyakov/c58061e52ee9015eacc4284b85f27f8c> Let me know if more info is needed. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4201>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAiCg8tzL88c03YJiB4AF9g0CPQxooGaks5rBSSEgaJpZM4K7TF0> .

[avishnyakov]

Gosh, that might be the key. You are right. Saw that here and there in the posts/docs as well. Let me check.

azure ad sp show --spn <client_id>

[avishnyakov]

Yep, Object ID is the problem. Got the wrong one, wasn't sure which one to get. So the "Object ID" should be taken from the role assignment. Confirming that all works with packer 0.12.0

As for the following, it does not seem to exist within azure cli on windows, which is a bit weird.

azure ad sp show --spn <client_id>

Looks really good now. VM is created, all seems to be fine.

Thanks for the help!

[dcallagh]

In Powershell Get-AzureRmADServicePrincipal will show all SPN, the name YOU THINK it is is actually the display name. Look for this in the list provided and the objectid will be in the same list. the SPN name is actually a url without the display name in it

[Tarvinders]

Yes the problem is with wrong Object ID. You will find the right Object ID in RoleAssignments page and not on the Azure AD page where the application is registered. To find the right one, use command line which is fairly straightforward.

1. Login to your account
   Login-AzureRmAccount

2. You have to set teh subsciption if the below command doesnt implicity set your subscription. It took me very long to figure this out as this step was not required when I was using my free account:

Set-AzureRmContext -SubscriptionId "---****-******"

3. Get the role assignment and you will find the correct Object ID for this registered application.

get-AzureRmRoleAssignment

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.