![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 10%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Azure SQL Database
An Azure relational database service.
Hi ,
Thanks for reaching out to Microsoft Q&A.
The error you’re encountering (SQL71621: Azure Key Vault URI '$(CMK1_KeyPath)' must be a well-formed, absolute URL) usually occurs when the Azure SQL DacpacTask or SqlPackage.exe isn’t able to interpret the CMK1_KeyPath variable properly in your production deployment.
Here are a few steps to resolve this issue:
- Verify the SQLCMD Variable Substitution in DevOps Pipeline: Ensure that the
CMK1_KeyPathSQLCMD variable is set correctly within the DevOps pipeline, particularly for the production environment. Sometimes, variable scopes or names in the pipeline setup might differ between environments, so double-check the DevOps pipeline variable section. - Set the Variable in the Pipeline Task: Explicitly set the
CMK1_KeyPathvariable in the DacpacTask definition. You can pass theCMK1_KeyPathdirectly in the pipeline’sAzure SQL DacpacTaskconfiguration:
3. Check the Variable Syntax: Sometimes,- task: SqlAzureDacpacDeployment@1 inputs: azureSubscription: 'Your-Azure-Service-Connection' serverName: 'your-server.database.windows.net' databaseName: 'your-database' sqlUsername: '$(sqlUsername)' sqlPassword: '$(sqlPassword)' deployType: 'DacpacTask' deploymentAction: 'Publish' sqlFile: '$(System.DefaultWorkingDirectory)/your-path/your-file.dacpac' additionalArguments: '/v:CMK1_KeyPath="https://my-kv.vault.azure.net/keys/Always-Encrypted-Auto1/97a8c01ab2fc43e0bd3ef2be69a64309"'
$()syntax is missed when passing variables between different tools or configurations. Ensure$(CMK1_KeyPath)resolves correctly. You can add a debugging task in your pipeline to log the resolvedCMK1_KeyPathvalue to verify it’s correct. Local Agent Variable Substitution: If you’re deploying through a self-hosted agent, check that the agent’s environment has permissions to read Azure Key Vault URIs if the variable is accessed through a secured mechanism or credential store. Hardcode for Testing: As a temporary troubleshooting step, try hardcoding theCMK1_KeyPathURI in the SQL project and see if the error persists during the production deployment. If this resolves the error, the issue is likely within the variable resolution process in the DevOps pipeline. Use/p:Instead of/v:: For some versions ofSqlPackage.exe, the/p:ColumnMasterKeySettingsargument is necessary for specifying Azure Key Vault URIs directly. IfSqlPackage.exesupports it, try:/p:ColumnMasterKeySettings="CMK1_KeyPath=https://my-kv.vault.azure.net/keys/Always-Encrypted-Auto1/97a8c01ab2fc43e0bd3ef2be69a64309"
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 69%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)