Reputation: 320
Azure KeyVault Access Policy exception when creating service fabric cluster with PowerShell using New-AzureRmServiceFabricCluster
I am trying to create an Azure Service Fabric cluster using PowerShell script described here: https://learn.microsoft.com/en-us/azure/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-cert
The script creates everything (including Key Vault) in one step by calling New-AzureRmServiceFabricCluster command.
After setting the variables and running the script in PowerShell I am getting this warning and then exception:
WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set a
ccess policies.
New-AzureRmServiceFabricCluster : 10:00:24 AM - System.AggregateException: One or more errors occurred. --->
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.Commands.ServiceFabric.Commands.ServiceFabricClusterCertificateCmdlet.CreateSelfSignedCertificate(String subjectName, String
keyVaultUrl, String& thumbprint, CertificateBundle& certificateBundle, String& outputFilePath)
---> (Inner Exception #0) Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()<---
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmServiceFabricCluster], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
New-AzureRmServiceFabricCluster : One or more errors occurred.
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmServiceFabricCluster], AggregateException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
In the portal when browsing the resource group I can see the KeyVault actually created, though nothing else.
This is really strange because I don't have a chance to setup access policy before the Key Vault is created.
I tried creating the Access Policy on the created KeyVault and ran the script again - the same error.
I am sure that I am the owner of the subscription and have all admin rights. Does anybody know what's going on here?
Upvotes: 0
Views: 461
Answers (1)
Reputation: 320
I have finally figured this out.
This happened because I have two Azure subscriptions under different user accounts, and I have previously run Azure PowerShell scripts for both of them. PowerShell remembered my sessions and while creating cluster somehow mixed them up, applying wrong credentials.
The fix to that is to cleanup PowerShell sessions:
Clear-AzureRmContext -Scope CurrentUser
This fixed it for me.
Upvotes: 1
Related Questions
- Service Fabric cluster creation error using powershell
- Service Fabric Cluster creation fails on Azure with error code "VMInstanceCountAllowsBetterReliabilityLevel"
- Problem Connecting to a Secure Azure Service Fabric Cluster
- Add-AzureRmServiceFabricClusterCertificate ends with error 'Certificates cannot be added and removed at the same time.'
- Cannot connect to secured Azure Service Fabric Cluster via Powershell or Visual Studio
- How to start local Azure Service Fabric Cluster with PowerShell or CLI
- failed to create service fabric cluster on win-server 2012 R2
- Can't create on premise service fabric cluster using the powershell scripts
- Create on-premise Service Fabric cluster fails with exception
- Deploy Service Fabric from powershell. Error -> Get-ServiceFabricClusterManifest : Cluster connection instance is null