Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

failed to get certificate URL, retry(0) issue with winrm #4201

Closed
avishnyakov opened this issue Nov 24, 2016 · 7 comments
Closed

failed to get certificate URL, retry(0) issue with winrm #4201

avishnyakov opened this issue Nov 24, 2016 · 7 comments
Assignees

Comments

@avishnyakov
Copy link

avishnyakov commented Nov 24, 2016

While building azure rm images, the following issue arises:

..failed to get certificate URL, retry(0)

Full workflow goes as following:

==> azure-arm: Running builder ...
    azure-arm: Creating Azure Resource Manager (ARM) client ...
==> azure-arm: Creating resource group ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> Location          : 'West US'
==> azure-arm:  -> Tags              :
==> azure-arm: Validating deployment template ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> DeploymentName    : 'pkrdp9c0p55hq20'
==> azure-arm: Deploying deployment template ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> DeploymentName    : 'pkrdp9c0p55hq20'
==> azure-arm: Getting the certificate's URL ...
==> azure-arm:  -> Key Vault Name        : 'pkrkv9c0p55hq20'
==> azure-arm:  -> Key Vault Secret Name : 'packerKeyVaultSecret'
==> azure-arm:  ...failed to get certificate URL, retry(0)
....
  ...failed to get certificate URL, retry(4)
 Failed to fetch secret from pkrkv9c0p55hq20/packerKeyVaultSecret, HTTP status code=403 (Forbidden)

Let me know if more info is needed.

@boumenot
Copy link
Collaborator

boumenot commented Nov 24, 2016

This is the real issue.

2016/11/24 14:26:21 packer.exe: 2016/11/24 14:26:21 Azure response status="403 Forbidden" method="GET"
request="https://pkrkvf60qlkygkl.vault.azure.net/secrets/packerKeyVaultSecret?api-version=2015-06-01"
x-ms-request-id="fe339437-9dce-4f1d-b91b-7b120bd4347a"
body="{"error":{"code":"Forbidden","message":"Access denied"}}"

The Azure builder did a poor job of making this clear. This is usually caused by setting the wrong ObjectID for your SPN.

azure ad sp show --spn <client_id>

@rickard-von-essen
Copy link
Collaborator

rickard-von-essen commented Nov 24, 2016 via email

@avishnyakov
Copy link
Author

Gosh, that might be the key. You are right. Saw that here and there in the posts/docs as well. Let me check.

azure ad sp show --spn <client_id>

@avishnyakov
Copy link
Author

Yep, Object ID is the problem. Got the wrong one, wasn't sure which one to get. So the "Object ID" should be taken from the role assignment. Confirming that all works with packer 0.12.0

As for the following, it does not seem to exist within azure cli on windows, which is a bit weird.

azure ad sp show --spn <client_id>

Looks really good now. VM is created, all seems to be fine.

Thanks for the help!

@dcallagh
Copy link

In Powershell Get-AzureRmADServicePrincipal will show all SPN, the name YOU THINK it is is actually the display name. Look for this in the list provided and the objectid will be in the same list. the SPN name is actually a url without the display name in it

@Tarvinders
Copy link

Yes the problem is with wrong Object ID. You will find the right Object ID in RoleAssignments page and not on the Azure AD page where the application is registered. To find the right one, use command line which is fairly straightforward.

  1. Login to your account
    Login-AzureRmAccount

  2. You have to set teh subsciption if the below command doesnt implicity set your subscription. It took me very long to figure this out as this step was not required when I was using my free account:

Set-AzureRmContext -SubscriptionId "---****-******"

  1. Get the role assignment and you will find the correct Object ID for this registered application.

get-AzureRmRoleAssignment

@ghost
Copy link

ghost commented Apr 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@hashicorp hashicorp locked and limited conversation to collaborators Apr 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants