@tonybendis Thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review.

@tonybendis - I was not able to duplicate this error. This article describes how to get a value from Key Vault and pass that value as a parameter to a template. When deploying the resource, the parameter value would only contain the secret without any indication of the subscription ID that it came from. Were you instead trying to the set the certificate URL in VM resource?

@tonybendis - if you are still having a problem with Key Vault and templates, feel free to reopen this issue. Otherwise, we'll close it.

please-close

please-close

@tonybendis We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

Hi ,

I get the same error ! ERROR The KeyVault 'enjnjnj-vn' does not exist in the Resource
Group 'test_gos' for the Subscription

I also get this error:

Resource Microsoft.Compute/virtualMachineScaleSets 'VMScaleSetWin' failed with message '{
"error": {
     "code": "InvalidParameter",
     "message": "The SubscriptionId:\"00000000-0000-0000-000-000000000000\" of the request must match the SubscriptionId \"11111111-1111-1111-1111-111111111111\" contained in the Key Vault Id.",
     "target": "sourceVault.id"
   }
 }'

When I try to deploy a VMSS with an ARM template. I am trying to use the osProfile.secrets.sourceVault.id from a different subscription.
Is there a permission issue maybe?

please-open

@Canutza - this article describes the scenario of using a key vault secret in a parameter file. In that case, the key vault does not need to be in the same subscription. Your scenario involves directly referencing a key vault from a VM property. That scenario is described at Set up Key Vault for virtual machines in Azure Resource Manager.

for Secrets cross-subscription seems to work fine. For Certificates however it fails with:

"The SubscriptionId:\"subIdVm\" of the request must match the SubscriptionId \"subIdKv\" contained
in the Key Vault Id."

Template:

"osProfile": {
"computerName": "[parameters('virtualMachineName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"secrets": [
{
"sourceVault": {
"id": "[concat('/subscriptions/', 'subIdKv', '/resourceGroups/', 'rgkeyvault', '/providers/Microsoft.KeyVault/vaults/', 'testvaultxxx')]"
},
"vaultCertificates": [
{
"certificateUrl": "https://testvaultxxx.vault.azure.net:443/secrets/JHTESTCERT/6206a8d1438c4d378ca7aa69c31a7f2f",
"certificateStore": "TESTCERTSTORE"
}
]
}
]
},

@JulianHayward I am also seeing this error when I try to use the secret identifier URL of the SSL cert in a different subscription and different resource group. I am able to use the same key vault to pass in secrets though.

Same issue here, we deploy a Vmss with certificate reference in the osprofile which points to a keyvault in anohter owned subscription.
Can you please triage this and update the status?

I'm facing the same issue, we have a central keyvault in a central subscription that holds our certificate, but ARM deployment for a VMSS in a different subscription fails to get the certificate from that keyvault with the same error message. I've also tried adding the managed identity of the VMSS to the target keyvault but that yields the same issue.

please-open for certificate reference in the osprofile which points to a keyvault in different subscription.

please-open

The osprofile-based cert ref does not support KV auto-rotation today as far as I know?!?

It's not about auto rotation. You cannot reference certificates from akv in different subscription (not vmss subscription) in os profile.