Share via

Cloud Service and Keyvault are in different subscriptions

ForamMehta-9031 0 Reputation points
2024-10-07T17:45:33.0166667+00:00

I am using KeyVaultExtension to CSES in my deployment arm template to download and install the certificate automatically by following the doc Apply the Key Vault VM extension in Azure Cloud Services (extended support) | Microsoft Learn

This is where template and parameter files are. ppe - Repos (azure.com)

When I run ev2 deployment, I get the below error.
The cloud service Subscription Id '60230f4e-bc3b-4c6d-a3a9-f2fe52d8b830' and the key vault subscription Id '8b0d367d-adfe-488c-b055-7a551a55f7de' are different. Please create both resources in the same subscription or use the KV extension to have the CSES and key vault in different subscriptions. Please refer to https://aka.ms/cses-kv-extension for details on KV extension.

Target: sourceVault.id Correlation Id: a03d01ec-0983-478c-acc3-74f68ec67341
Ev2 Portal - Dashboard (azure.net)

This is RBAC on my KV LogsToMetrics-PPE-KV - Microsoft Azure
Currently, The KV cert is in a different subscription than the cses.

As per error message, looks like we can work with CSES and KV in different subscription but I am not able to deploy the template.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 20,490 Reputation points Microsoft External Staff Moderator
    2024-10-14T07:18:22.29+00:00

    Hi @ForamMehta-9031

    Thank you for posting this in Microsoft Q&A.

    The error message indicates that the subscription ID of the cloud service (60230f4e-bc3b-4c6d-a3a9-f2fe52d8b830) and the subscription ID of the key vault (8b0d367d-adfe-488c-b055-7a551a55f7de) are different. This is causing the deployment to fail.

    There are two possible solutions to fix this error.

    1.Create both resources in the same subscription

    2.Use the KV extension to have the CSES and key vault in different subscriptions

    It seems you are using KV extension to have the CSES and key vault in different subscriptions. Can you please cross check the steps which you have followed or not with this document https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/enable-key-vault-virtual-machine

    Have you created an application in the Microsoft Entra admin center/Azure Portal and granted the Microsoft Entra app secret permissions in Key Vault?

    Thanks,

    Navya.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.