azure arm template deploying azure key vault extension to a VM

Question

I am attempting to deploy the key vault extension to a VM using an azure Arm template. Based on this link. https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows.

I get this error when attempting to provision the extension Template deployment returned the following errors: 08:57:27 - 8:57:26 AM - Resource Microsoft.Compute/virtualMachines/extensions 'dcsvm1/test' failed with message '{ 08:57:27 - "status": "Failed", 08:57:27 - "error": { 08:57:27 - "code": "ResourceDeploymentFailure", 08:57:27 - "message": "The resource operation completed with terminal provisioning state 'Failed'.", 08:57:27 - "details": [ 08:57:27 - { 08:57:27 - "code": "VMExtensionProvisioningError", 08:57:27 - "message": "VM has reported a failure when processing extension 'test'. Error message: "Failed to parse the configuration settings with: 'not an array'"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot " 08:57:27 - } 08:57:27 - ]

>     here is the arm template json
>     type": "Microsoft.Compute/virtualMachines/extensions",
>           "name": "dcsvm1/test",
>           "apiVersion": "2019-07-01",
>           "location": "[parameters('location')]",
>           "dependsOn": [
>             "[resourceId('Microsoft.Compute/VirtualMachines', parameters('virtualmachinename'))]"
>           ],
>           "properties": {
>             "publisher": "Microsoft.Azure.KeyVault",
>             "type": "KeyVaultForWindows",
>             "typeHandlerVersion": "1.0",
>             "settings": {
>               "secretsManagementSettings": {
>                 "pollingIntervalIns": "3600",
>                 "certificateStoreName": "MY",
>                 "linkOnRenewal": "false",
>                 "certificateStoreLocation": "LocalMachine",
>                 //"requireInitialSync": "true",
>                 //"observedCertificates": "https://testkvdsc.vault.azure.net:443/certificates/wildcard/9817edfba5124579b75649f51902ef99",
>                 "observedCertificates": "https://testkvdsc.vault.azure.net:443/secrets/wildcard"
>               }         
>             }
>           }
>         },

I have been able get add the extension after the VM is created using powershell but much rather have it installed via the arm template.

Answer 1

if you want to install Azure key vault extension on Azure VM via arm template, the template should be like as below. Please update observedCertificatesas array and linkOnRenewal as boolean.

"resources": [ {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
            "apiVersion": "2019-07-01",
            "location": "[parameters('location')]",
            
            "properties": {
                "publisher": "Microsoft.Azure.KeyVault",
                "type": "KeyVaultForWindows",
                "typeHandlerVersion": "1.0",
                "autoUpgradeMinorVersion": true,
                "settings": {
                    "secretsManagementSettings": {
                        "pollingIntervalInS": "3600",
                        "certificateStoreName": "MY",
                        "linkOnRenewal": false,
                        "certificateStoreLocation": "LocalMachine",
                        "observedCertificates": ["",""]
                    }
                }
            }
        }

Regarding the details of how to install the extension, please refer to the following steps. Meanwhile, you can refer to the official document

1. Enable MSI for the VM

2. The Key Vault Access Policy must be set with secrets get and list permission for VM/VMSS managed identity to retrieve a secret's portion of certificate.

3. Install the extension

My template is as below

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaultName": {
            "type": "string",
            "defaultValue": ""
        },
        "VMName": {
            "type": "string",
            "defaultValue": ""
        },
        "tenantId": {
            "type": "string",
            "defaultValue": "[subscription().tenantId]"
        },
        "location": {
            "type": "string",
            "defaultValue": ""
        }
    },
    "resources": [{
            "name": "[parameters('VMName')]",
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2020-06-01",
            "location": "[parameters('location')]",
            "identity": {
                "type": "SystemAssigned",
            },
        }, {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedTemplate1",
            "resourceGroup": "<key vault resource group>",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [{
                            "type": "Microsoft.KeyVault/vaults/accessPolicies",
                            "name": "[concat(parameters('vaultName'), '/add')]",

                            "apiVersion": "2019-09-01",
                            "properties": {
                                "accessPolicies": [{
                                        "tenantId": "[parameters('tenantId')]",
                                        "objectId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName')), '2020-06-01', 'full').identity.principalId]",
                                        "permissions": {
                                            "keys": ["all"],
                                            "secrets": ["all"],
                                            "certificates": ["all"],
                                            "storage": ["all"]
                                        }
                                    }
                                ]
                            }
                        },
                    ]
                }
            }
        }, {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
            "apiVersion": "2019-07-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "nestedTemplate1"
            ],
            "properties": {
                "publisher": "Microsoft.Azure.KeyVault",
                "type": "KeyVaultForWindows",
                "typeHandlerVersion": "1.0",
                "autoUpgradeMinorVersion": true,
                "settings": {
                    "secretsManagementSettings": {
                        "pollingIntervalInS": "3600",
                        "certificateStoreName": "MY",
                        "linkOnRenewal": false,
                        "certificateStoreLocation": "LocalMachine",
                        "observedCertificates": [""]
                    }
                }
            }
        }

    ],
    "outputs": {}
}

Answer 2

I’d guess that your error is with observedCertificates which, according to this document, should be an array of strings rather than a single string. Try surrounding the string with square brackets.