Sergey
Reputation: 391
"The resource identifier of the KeyVault parameter '' is invalid" error during ARM template deployment
I have a template (param+template file).
Param file has the following code:
"sqlServerAdminLoginPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId, parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "sqlAdminPassword"
}
During the deployment (from VS2017) the following error occurs:
00:17:22 -
00:17:22 - VERBOSE: Performing the operation "Creating Deployment" on target "XXXXXXXX".
00:17:23 - New-AzureRmResourceGroupDeployment : 12:17:23 AM - Error: Code=KeyVaultParameterReferenceInvalidResourceId;
00:17:23 - Message=The resource identifier of the KeyVault parameter 'sqlAdminPassword' is invalid. Please specify the value following
00:17:23 - 'subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}'
00:17:23 - format. See https://aka.ms/arm-keyvault for usage details.
00:17:23 - At ######################
00:17:23 - ###\Deploy-AzureResourceGroup.ps1:108 char:5
00:17:23 - + New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $Templat ...
00:17:23 - + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00:17:23 - + CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
00:17:23 - + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
00:17:23 - loymentCmdlet
00:17:23 -
00:17:23 - New-AzureRmResourceGroupDeployment : The deployment validation failed
00:17:23 - At ######################
00:17:23 - ###\Deploy-AzureResourceGroup.ps1:108 char:5
00:17:23 - + New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $Templat ...
00:17:23 - + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00:17:23 - + CategoryInfo : CloseError: (:) [New-AzureRmResourceGroupDeployment], InvalidOperationException
00:17:23 - + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
00:17:23 - loymentCmdlet
00:17:23 -
00:17:24 -
00:17:24 - Template deployment returned the following errors:
00:17:24 - 12:17:23 AM - Error: Code=KeyVaultParameterReferenceInvalidResourceId; Message=The resource identifier of the KeyVault parameter 'sqlAdminPassword' is invalid. Please specify the value following 'subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}' format. See https://aka.ms/arm-keyvault for usage details.
00:17:24 - The deployment validation failed
00:17:24 -
00:17:24 -
00:17:24 - Deploying template using PowerShell script failed.
00:17:24 - Tell us about your experience at https://go.microsoft.com/fwlink/?LinkId=691202
According to the following article and the following template file I should be able to use the same construction, however, it doesn't work.
What can be wrong here?
P.S. Indeed, the resources, and parameters (like keyvaultRG or KeyVaultName) are present (and exist).
P.P.S. The following and following issues exist on Github but still unasnwered\unassigned...
Upd:
Template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServicePlanName": {
"type": "string"
},
"workerSize": {
"type": "string"
},
"sku": {
"type": "string"
},
"skuCode": {
"type": "string"
},
"SQLserverName": {
"type": "string"
},
"sqlServerAdminLogin": {
"type": "string"
},
"sqlServerAdminLoginPassword": {
"type": "securestring"
},
"sqlDatabaseName": {
"type": "string"
},
"edition": {
"type": "string"
},
"collation": {
"type": "string"
},
"maxSizeBytes": {
"type": "string"
},
"requestedServiceObjectiveName": {
"type": "string"
},
"sampleName": {
"type": "string"
},
"zoneRedundant": {
"type": "bool"
},
"siteName": {
"type": "string"
},
"appType": {
"type": "string"
},
"KeyVaultName": {
"type": "string"
},
"mailAccount": {
"type": "securestring"
},
"mailPassword": {
"type": "securestring"
},
"keyvaultRG": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"apiVersion": "2016-09-01",
"name": "[parameters('appServicePlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('appServicePlanName')]",
"workerSizeId": "[parameters('workerSize')]",
"numberOfWorkers": "[parameters('workerSize')]"
},
"sku": {
"Tier": "[parameters('sku')]",
"Name": "[parameters('skuCode')]"
}
},
{
"apiVersion": "2015-05-01-preview",
"location": "[resourceGroup().location]",
"type": "Microsoft.Sql/servers",
"name": "[parameters('SQLserverName')]",
"properties": {
"administratorLogin": "[parameters('sqlServerAdminLogin')]",
"administratorLoginPassword": "[parameters('sqlServerAdminLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"apiVersion": "2014-04-01-preview",
"type": "firewallrules",
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('SQLserverName'))]"
],
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
},
{
"name": "[concat(parameters('SQLserverName'),'/',parameters('sqlDatabaseName'))]",
"type": "Microsoft.Sql/servers/databases",
"location": "[resourceGroup().location]",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('SQLserverName'))]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]",
"sampleName": "[parameters('sampleName')]",
"zoneRedundant": "[parameters('zoneRedundant')]"
}
}
]
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-03-01",
"name": "[parameters('siteName')]",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]": "empty"
},
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]",
"[resourceId('microsoft.insights/components/', parameters('siteName'))]"
],
"properties": {
"siteConfig": {
"alwaysOn": true,
"use32BitWorkerProcess": false,
"httpsOnly": true,
"connectionStrings": [
{
"name": "defaultConnection",
"ConnectionString": "[concat(concat('Data Source=tcp:' ,reference(concat(parameters('SQLserverName')),'2015-05-01-preview').fullyQualifiedDomainName ,',1433;'),concat('Initial Catalog=',parameters('sqlDatabaseName'),';'),concat('User Id=',concat(parameters('sqlServerAdminLogin')),'@',reference(concat(parameters('sqlServerName')), '2015-05-01-preview').fullyQualifiedDomainName,';'),concat('Password=',parameters('sqlServerAdminLoginPassword'),';'))]",
"type": "SQLAzure"
}
],
"appSettings": []
},
"name": "[parameters('siteName')]",
"serverFarmId": "[concat(resourceGroup().id,'/providers/Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "logs",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('siteName'))]"
],
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "Verbose"
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 100,
"retentionInDays": 90,
"enabled": true
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
}
]
},
],
"outputs": {
}
}
Param
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServicePlanName": {
"type": "string",
"value": "AppSvcPlan"
},
"workerSize": {
"type": "string",
"value": "0"
},
"sku": {
"type": "string",
"value": "Standard"
},
"skuCode": {
"type": "string",
"value": "S1"
},
"SQLserverName": {
"type": "string",
"value": "SQLSrv"
},
"sqlServerAdminLogin": {
"type": "string",
"value": "dbuser"
},
"sqlServerAdminLoginPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "sqlAdminPassword"
}
},
"sqlDatabaseName": {
"type": "string",
"value": "SQLDB"
},
"edition": {
"type": "string",
"value": "Standard"
},
"collation": {
"type": "string",
"value": "SQL_Latin1_General_CP1_CI_AS"
},
"maxSizeBytes": {
"type": "string",
"value": "268435456000"
},
"requestedServiceObjectiveName": {
"type": "string",
"value": "S3"
},
"sampleName": {
"type": "string",
"value": ""
},
"zoneRedundant": {
"type": "bool",
"value": false
},
"siteName": {
"type": "string",
"value": "AppName"
},
"appType": {
"type": "string",
"value": "web"
},
"KeyVaultName": {
"type": "string",
"value": "keyvault"
},
"mailAccount": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "mailAccount"
}
},
"mailPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "mailPassword"
}
},
"keyvaultRG": {
"type": "string",
"value": "KeyVaultRG"
}
}
}
Upvotes: 1
Views: 4715
Answers (1)
4c74356b41
Reputation: 72151
The error clearly says: KeyVaultParameterReferenceInvalidResourceId
First of all, i'd shorten the reference:
"[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
No point in specifying subscription if its the same. And my second point would be to ask you to provide the template you are using and parameters file, because the articles you reference are using nested template to achieve that, not parameters file. Also you should check your Azure Powershell version and update it.
Probably not use VS2017 to deploy it as well.
Another thing that can mess this up - kv permissions (this doesnt look like your case, but...) you need to enable KV for template deployments.
ok. it appears you cannot use expressions in KV id when its in parameters file. 2 workarounds:
- use powershell to construct resourceId and put it in parameters file
- use nested deployments, you can use resourceId there.
Upvotes: 3
Related Questions
- Issue with KeyVault reference in ARM template
- ARM template dependsOn on a keyvault access policy
- azure arm template deploying azure key vault extension to a VM
- Error when deploying ARM template that includes certificate stored in key vault
- referencing a KeyVault secret in an ARM template fails with 'The resource is not defined in the template'
- Why is it not possible to create an Azure Key vault key with ARM templates?
- Deploy azure key vault secret using arm template gives error
- ARM Template with Key Vault certificate
- Linked ARM templates result in Invalid Template
- The KeyVault API rest call failed as part of ARM deployment