“The resource identifier of the KeyVault parameter '' is invalid” error during ARM template deployment
Question
I have a template (param+template file).
Param file has the following code:
"sqlServerAdminLoginPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId, parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "sqlAdminPassword"
}
During the deployment (from VS2017) the following error occurs:
00:17:22 -
00:17:22 - VERBOSE: Performing the operation "Creating Deployment" on target "XXXXXXXX".
00:17:23 - New-AzureRmResourceGroupDeployment : 12:17:23 AM - Error: Code=KeyVaultParameterReferenceInvalidResourceId;
00:17:23 - Message=The resource identifier of the KeyVault parameter 'sqlAdminPassword' is invalid. Please specify the value following
00:17:23 - 'subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}'
00:17:23 - format. See https://aka.ms/arm-keyvault for usage details.
00:17:23 - At ######################
00:17:23 - ###\Deploy-AzureResourceGroup.ps1:108 char:5
00:17:23 - + New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $Templat ...
00:17:23 - + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00:17:23 - + CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
00:17:23 - + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
00:17:23 - loymentCmdlet
00:17:23 -
00:17:23 - New-AzureRmResourceGroupDeployment : The deployment validation failed
00:17:23 - At ######################
00:17:23 - ###\Deploy-AzureResourceGroup.ps1:108 char:5
00:17:23 - + New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $Templat ...
00:17:23 - + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00:17:23 - + CategoryInfo : CloseError: (:) [New-AzureRmResourceGroupDeployment], InvalidOperationException
00:17:23 - + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
00:17:23 - loymentCmdlet
00:17:23 -
00:17:24 -
00:17:24 - Template deployment returned the following errors:
00:17:24 - 12:17:23 AM - Error: Code=KeyVaultParameterReferenceInvalidResourceId; Message=The resource identifier of the KeyVault parameter 'sqlAdminPassword' is invalid. Please specify the value following 'subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}' format. See https://aka.ms/arm-keyvault for usage details.
00:17:24 - The deployment validation failed
00:17:24 -
00:17:24 -
00:17:24 - Deploying template using PowerShell script failed.
00:17:24 - Tell us about your experience at https://go.microsoft.com/fwlink/?LinkId=691202
According to the following article and the following template file I should be able to use the same construction, however, it doesn't work.
What can be wrong here?
PS Indeed, the resources, and parameters (like keyvaultRG or KeyVaultName) are present (and exist).
PPS The following and following issues exist on Github but still unasnwered\\unassigned...
Upd:
Template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServicePlanName": {
"type": "string"
},
"workerSize": {
"type": "string"
},
"sku": {
"type": "string"
},
"skuCode": {
"type": "string"
},
"SQLserverName": {
"type": "string"
},
"sqlServerAdminLogin": {
"type": "string"
},
"sqlServerAdminLoginPassword": {
"type": "securestring"
},
"sqlDatabaseName": {
"type": "string"
},
"edition": {
"type": "string"
},
"collation": {
"type": "string"
},
"maxSizeBytes": {
"type": "string"
},
"requestedServiceObjectiveName": {
"type": "string"
},
"sampleName": {
"type": "string"
},
"zoneRedundant": {
"type": "bool"
},
"siteName": {
"type": "string"
},
"appType": {
"type": "string"
},
"KeyVaultName": {
"type": "string"
},
"mailAccount": {
"type": "securestring"
},
"mailPassword": {
"type": "securestring"
},
"keyvaultRG": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"apiVersion": "2016-09-01",
"name": "[parameters('appServicePlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('appServicePlanName')]",
"workerSizeId": "[parameters('workerSize')]",
"numberOfWorkers": "[parameters('workerSize')]"
},
"sku": {
"Tier": "[parameters('sku')]",
"Name": "[parameters('skuCode')]"
}
},
{
"apiVersion": "2015-05-01-preview",
"location": "[resourceGroup().location]",
"type": "Microsoft.Sql/servers",
"name": "[parameters('SQLserverName')]",
"properties": {
"administratorLogin": "[parameters('sqlServerAdminLogin')]",
"administratorLoginPassword": "[parameters('sqlServerAdminLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"apiVersion": "2014-04-01-preview",
"type": "firewallrules",
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('SQLserverName'))]"
],
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
},
{
"name": "[concat(parameters('SQLserverName'),'/',parameters('sqlDatabaseName'))]",
"type": "Microsoft.Sql/servers/databases",
"location": "[resourceGroup().location]",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('SQLserverName'))]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]",
"sampleName": "[parameters('sampleName')]",
"zoneRedundant": "[parameters('zoneRedundant')]"
}
}
]
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-03-01",
"name": "[parameters('siteName')]",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]": "empty"
},
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]",
"[resourceId('microsoft.insights/components/', parameters('siteName'))]"
],
"properties": {
"siteConfig": {
"alwaysOn": true,
"use32BitWorkerProcess": false,
"httpsOnly": true,
"connectionStrings": [
{
"name": "defaultConnection",
"ConnectionString": "[concat(concat('Data Source=tcp:' ,reference(concat(parameters('SQLserverName')),'2015-05-01-preview').fullyQualifiedDomainName ,',1433;'),concat('Initial Catalog=',parameters('sqlDatabaseName'),';'),concat('User Id=',concat(parameters('sqlServerAdminLogin')),'@',reference(concat(parameters('sqlServerName')), '2015-05-01-preview').fullyQualifiedDomainName,';'),concat('Password=',parameters('sqlServerAdminLoginPassword'),';'))]",
"type": "SQLAzure"
}
],
"appSettings": []
},
"name": "[parameters('siteName')]",
"serverFarmId": "[concat(resourceGroup().id,'/providers/Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "logs",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('siteName'))]"
],
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "Verbose"
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 100,
"retentionInDays": 90,
"enabled": true
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
}
]
},
],
"outputs": {
}
}
Param
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServicePlanName": {
"type": "string",
"value": "AppSvcPlan"
},
"workerSize": {
"type": "string",
"value": "0"
},
"sku": {
"type": "string",
"value": "Standard"
},
"skuCode": {
"type": "string",
"value": "S1"
},
"SQLserverName": {
"type": "string",
"value": "SQLSrv"
},
"sqlServerAdminLogin": {
"type": "string",
"value": "dbuser"
},
"sqlServerAdminLoginPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "sqlAdminPassword"
}
},
"sqlDatabaseName": {
"type": "string",
"value": "SQLDB"
},
"edition": {
"type": "string",
"value": "Standard"
},
"collation": {
"type": "string",
"value": "SQL_Latin1_General_CP1_CI_AS"
},
"maxSizeBytes": {
"type": "string",
"value": "268435456000"
},
"requestedServiceObjectiveName": {
"type": "string",
"value": "S3"
},
"sampleName": {
"type": "string",
"value": ""
},
"zoneRedundant": {
"type": "bool",
"value": false
},
"siteName": {
"type": "string",
"value": "AppName"
},
"appType": {
"type": "string",
"value": "web"
},
"KeyVaultName": {
"type": "string",
"value": "keyvault"
},
"mailAccount": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "mailAccount"
}
},
"mailPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
},
"secretName": "mailPassword"
}
},
"keyvaultRG": {
"type": "string",
"value": "KeyVaultRG"
}
}
}
1 answers
solution1
1 ACCPTED 2018-07-07 05:31:59
The error clearly says: KeyVaultParameterReferenceInvalidResourceId
First of all, i'd shorten the reference:
"[resourceId(parameters('keyvaultRG'), 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
No point in specifying subscription if its the same. And my second point would be to ask you to provide the template you are using and parameters file, because the articles you reference are using nested template to achieve that, not parameters file. Also you should check your Azure Powershell version and update it.
Probably not use VS2017 to deploy it as well.
Another thing that can mess this up - kv permissions (this doesnt look like your case, but...) you need to enable KV for template deployments.
ok. it appears you cannot use expressions in KV id when its in parameters file. 2 workarounds:
- use powershell to construct resourceId and put it in parameters file
- use nested deployments, you can use resourceId there.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
ARM Template - Deployment slot keyvault permissions
Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group
ARM template keyvault accesspolicies inside object parameter
Azure ARM template deployment failure with error Invalid Template
referencing a KeyVault secret in an ARM template fails with 'The resource is not defined in the template'
Can't create and reference a keyvault secret in the same ARM template deployment
ARM Template deployment - The resource identificator is malformed
ARM Template deployment resource namespace not found
ARM template deployment unhelpful errors, including "The domain name '...' request is invalid. Resource tags are not supported."
DSC ConfigurationData parameter in Azure ARM template deployment
Related Tags