New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

failed to get certificate URL, retry(0) issue with winrm #4201

Closed
avishnyakov opened this Issue Nov 24, 2016 · 6 comments

Comments

Projects
None yet
5 participants
@avishnyakov

avishnyakov commented Nov 24, 2016

While building azure rm images, the following issue arises:

..failed to get certificate URL, retry(0)

Full workflow goes as following:

==> azure-arm: Running builder ...
    azure-arm: Creating Azure Resource Manager (ARM) client ...
==> azure-arm: Creating resource group ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> Location          : 'West US'
==> azure-arm:  -> Tags              :
==> azure-arm: Validating deployment template ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> DeploymentName    : 'pkrdp9c0p55hq20'
==> azure-arm: Deploying deployment template ...
==> azure-arm:  -> ResourceGroupName : 'packer-Resource-Group-9c0p55hq20'
==> azure-arm:  -> DeploymentName    : 'pkrdp9c0p55hq20'
==> azure-arm: Getting the certificate's URL ...
==> azure-arm:  -> Key Vault Name        : 'pkrkv9c0p55hq20'
==> azure-arm:  -> Key Vault Secret Name : 'packerKeyVaultSecret'
==> azure-arm:  ...failed to get certificate URL, retry(0)
....
  ...failed to get certificate URL, retry(4)
 Failed to fetch secret from pkrkv9c0p55hq20/packerKeyVaultSecret, HTTP status code=403 (Forbidden)

Let me know if more info is needed.

@boumenot

This comment has been minimized.

Collaborator

boumenot commented Nov 24, 2016

This is the real issue.

2016/11/24 14:26:21 packer.exe: 2016/11/24 14:26:21 Azure response status="403 Forbidden" method="GET"
request="https://pkrkvf60qlkygkl.vault.azure.net/secrets/packerKeyVaultSecret?api-version=2015-06-01"
x-ms-request-id="fe339437-9dce-4f1d-b91b-7b120bd4347a"
body="{"error":{"code":"Forbidden","message":"Access denied"}}"

The Azure builder did a poor job of making this clear. This is usually caused by setting the wrong ObjectID for your SPN.

azure ad sp show --spn <client_id>
@rickard-von-essen

This comment has been minimized.

Collaborator

rickard-von-essen commented Nov 24, 2016

@avishnyakov

This comment has been minimized.

avishnyakov commented Nov 24, 2016

Gosh, that might be the key. You are right. Saw that here and there in the posts/docs as well. Let me check.

azure ad sp show --spn <client_id>

@avishnyakov

This comment has been minimized.

avishnyakov commented Nov 24, 2016

Yep, Object ID is the problem. Got the wrong one, wasn't sure which one to get. So the "Object ID" should be taken from the role assignment. Confirming that all works with packer 0.12.0

As for the following, it does not seem to exist within azure cli on windows, which is a bit weird.

azure ad sp show --spn <client_id>

Looks really good now. VM is created, all seems to be fine.

Thanks for the help!

@dcallagh

This comment has been minimized.

dcallagh commented Mar 31, 2017

In Powershell Get-AzureRmADServicePrincipal will show all SPN, the name YOU THINK it is is actually the display name. Look for this in the list provided and the objectid will be in the same list. the SPN name is actually a url without the display name in it

@Tarvinders

This comment has been minimized.

Tarvinders commented Nov 30, 2017

Yes the problem is with wrong Object ID. You will find the right Object ID in RoleAssignments page and not on the Azure AD page where the application is registered. To find the right one, use command line which is fairly straightforward.

  1. Login to your account
    Login-AzureRmAccount

  2. You have to set teh subsciption if the below command doesnt implicity set your subscription. It took me very long to figure this out as this step was not required when I was using my free account:

Set-AzureRmContext -SubscriptionId "---****-******"

  1. Get the role assignment and you will find the correct Object ID for this registered application.

get-AzureRmRoleAssignment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment