The KeyVault API rest call failed as part of ARM deployment

Question

A ARM Deployment is throwing the following exception:

The secret of KeyVault parameter 'dbAdministratorLogin' cannot be retrieved. Http status code: '<null>'. Error message: 'The KeyVault API rest call failed. HttpStatusCode: 'Unknown', Exception: 'Newtonsoft.Json.JsonSerializationException: Required property 'detail' not found in JSON. Path '', line 1, position 75.
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.EndObject(Object newObject, JsonReader reader, JsonObjectContract contract, Int32 initialDepth, Dictionary`2 propertiesPresence)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at Microsoft.WindowsAzure.ResourceStack.Frontdoor.Data.DataProviders.KeyVaultDataProvider.<GetSecret>d__13.MoveNext() in x:\bt\662571\repo\src\frontdoor\Roles\Frontdoor.Data\DataProviders\KeyVaultDataProvider.cs:line 269
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.WindowsAzure.ResourceStack.Common.Algorithms.AsyncRetry.<Retry>d__6`1.MoveNext() in x:\bt\662571\repo\src\common\core\algorithms\AsyncRetry.cs:line 79
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.WindowsAzure.ResourceStack.Frontdoor.Data.DataProviders.KeyVaultDataProvider.<GetSecret>d__8.MoveNext() in x:\bt\662571\repo\src\frontdoor\Roles\Frontdoor.Data\DataProviders\KeyVaultDataProvider.cs:line 197'.'.

where the parameter is defined as a reference to a secret in a keyvault:

 "dbAdministratorLogin": {
    "reference": {
      "keyVault": {
        "id": "/subscriptions/{maskedguid}/resourceGroups/ascend-ammo-infrastructure-test/providers/Microsoft.KeyVault/vaults/ascend-ammo-kv-test"
      },
      "secretName": "ascend-ammo-weu-dbAdministratorLogin"
    }
  },

Anyone from the Azure KeyVault Team that can give some insight to potential issues that could cause this issue. No idea if its permission errors, tempalte errors or something else.

Here is my test files:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "myAdminUsername": {
      "value": "MyAdministrator"
    },
    "myAdminPassword": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/{subid}/resourceGroups/ascend-ammo-infrastructure/providers/Microsoft.KeyVault/vaults/{existingkvname}"
        },
        "secretName": "ascend-ammo-weu-dbAdministratorLoginPassword"
      }
    }
  }
}

and

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "myAdminUsername": {
      "type": "string",
      "minLength": 4
    },
    "myAdminPassword": {
      "type": "securestring"
    }
  },
  "resources": [
  ],
  "outputs": {
    "password": {
      "type": "securestring",
      "value": "[parameters('myAdminPassword')]"
    }
  }
}

Answer 1

When the keyvault is created it needs a parameter to enable it for ARM deployments:

"enabledForTemplateDeployment": {
    "type": "bool",
    "defaultValue": false,
    "allowedValues": [
      true,
      false
    ],
    "metadata": {
      "description": "Specifies if the vault is enabled for ARM template deployment"
    }
  },

and

{
  "type": "Microsoft.KeyVault/vaults",
  "name": "[variables('keyVaultName')]",
  "apiVersion": "2015-06-01",
  "location": "[parameters('keyVaultLocation')]",
  "properties": {
    "enabledForDeployment": "[parameters('enableVaultForDeployment')]",
    "enabledForDiskEncryption": "[parameters('enableVaultForDiskEncryption')]",
    "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
    "tenantId": "[parameters('tenantId')]",
    "accessPolicies": [
      {
        "tenantId": "[parameters('tenantId')]",
        "objectId": "[parameters('objectId')]",
        "permissions": {
          "keys": [ "all" ],
          "secrets": [ "all" ]
        }
      }
    ],
    "sku": {
      "name": "[parameters('keyVaultSku')]",
      "family": "A"
    }
  }
}