@Andreas Mertz My apologies for the delay on this one!
Secret rotation on the ASDK is not a supported scenario, and the failures you are getting is expected.
We will be updating the documentation as well to state this.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have successfully installed ASDK 1.2008.0.59, and everything is working fine. Test-AzureStack is passing all Tests.
After a while i wanted to Rotate the Certs, and as stated in https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-rotate-secrets?view=azs-2008, i prepared everything, and started Start-SecretRotation. All Tests and Checks were running successfull, but then the following error appears:
System.InvalidOperationException: The specified ActionPlan 'ExternalCertRotation' does not exist.
The learn.microsoft.com page especially mention also the ASDK for the secret rotation, so i assumed it should work fine.
Any idea what to do?
Here the Log from running Start-SecretRotation:
PS C:\Certificates> Invoke-Command -Session $PEPSession -ScriptBlock {
>> Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
>> }
VERBOSE: Invoke-ScriptBlockWithRetries: attempt #1 of 2, retry sleep time is 30 seconds.
VERBOSE: Create client to use for querying for status of actions
VERBOSE: Invoke-ScriptBlockWithRetries: attempt #1 of 2, retry sleep time is 30 seconds.
VERBOSE: Create client to use for querying for status of actions
PSComputerName : 192.168.200.224
RunspaceId : d572909e-b4e7-468e-a134-69334e4f4bee
LocalPath :
RemotePath : \\192.168.200.1\Certificates
RequireIntegrity : False
RequirePrivacy : False
Status : 0
UseWriteThrough : False
VERBOSE: Mapped network drive for source: \\192.168.200.1\Certificates
Testing: \ARM Public
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \ARM Admin
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \Public Portal
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \Admin Portal
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \KeyVault
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \KeyVaultInternal
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \ACSTable
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \ACSQueue
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \ACSBlob
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \Admin Extension Host
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Testing: \Public Extension Host
Thumbprint: E31681****************************5975A7
PFX Encryption: OK
Expiry Date: OK
Signature Algorithm: OK
DNS Names: OK
Key Usage: OK
Key Length: OK
Parse PFX: OK
Private Key: OK
Cert Chain: OK
Chain Order: OK
Other Certificates: OK
Path Test Result
---- ---- ------
\ARM Public PFX Encryption OK
\ARM Public Expiry Date OK
\ARM Public Signature Algorithm OK
\ARM Public DNS Names OK
\ARM Public Key Usage OK
\ARM Public Key Length OK
\ARM Public Parse PFX OK
\ARM Public Private Key OK
\ARM Public Cert Chain OK
\ARM Public Chain Order OK
\ARM Public Other Certificates OK
\ARM Admin PFX Encryption OK
\ARM Admin Expiry Date OK
\ARM Admin Signature Algorithm OK
\ARM Admin DNS Names OK
\ARM Admin Key Usage OK
\ARM Admin Key Length OK
\ARM Admin Parse PFX OK
\ARM Admin Private Key OK
\ARM Admin Cert Chain OK
\ARM Admin Chain Order OK
\ARM Admin Other Certificates OK
\Public Portal PFX Encryption OK
\Public Portal Expiry Date OK
\Public Portal Signature Algorithm OK
\Public Portal DNS Names OK
\Public Portal Key Usage OK
\Public Portal Key Length OK
\Public Portal Parse PFX OK
\Public Portal Private Key OK
\Public Portal Cert Chain OK
\Public Portal Chain Order OK
\Public Portal Other Certificates OK
\Admin Portal PFX Encryption OK
\Admin Portal Expiry Date OK
\Admin Portal Signature Algorithm OK
\Admin Portal DNS Names OK
\Admin Portal Key Usage OK
\Admin Portal Key Length OK
\Admin Portal Parse PFX OK
\Admin Portal Private Key OK
\Admin Portal Cert Chain OK
\Admin Portal Chain Order OK
\Admin Portal Other Certificates OK
\KeyVault PFX Encryption OK
\KeyVault Expiry Date OK
\KeyVault Signature Algorithm OK
\KeyVault DNS Names OK
\KeyVault Key Usage OK
\KeyVault Key Length OK
\KeyVault Parse PFX OK
\KeyVault Private Key OK
\KeyVault Cert Chain OK
\KeyVault Chain Order OK
\KeyVault Other Certificates OK
\KeyVaultInternal PFX Encryption OK
\KeyVaultInternal Expiry Date OK
\KeyVaultInternal Signature Algorithm OK
\KeyVaultInternal DNS Names OK
\KeyVaultInternal Key Usage OK
\KeyVaultInternal Key Length OK
\KeyVaultInternal Parse PFX OK
\KeyVaultInternal Private Key OK
\KeyVaultInternal Cert Chain OK
\KeyVaultInternal Chain Order OK
\KeyVaultInternal Other Certificates OK
\ACSTable PFX Encryption OK
\ACSTable Expiry Date OK
\ACSTable Signature Algorithm OK
\ACSTable DNS Names OK
\ACSTable Key Usage OK
\ACSTable Key Length OK
\ACSTable Parse PFX OK
\ACSTable Private Key OK
\ACSTable Cert Chain OK
\ACSTable Chain Order OK
\ACSTable Other Certificates OK
\ACSQueue PFX Encryption OK
\ACSQueue Expiry Date OK
\ACSQueue Signature Algorithm OK
\ACSQueue DNS Names OK
\ACSQueue Key Usage OK
\ACSQueue Key Length OK
\ACSQueue Parse PFX OK
\ACSQueue Private Key OK
\ACSQueue Cert Chain OK
\ACSQueue Chain Order OK
\ACSQueue Other Certificates OK
\ACSBlob PFX Encryption OK
\ACSBlob Expiry Date OK
\ACSBlob Signature Algorithm OK
\ACSBlob DNS Names OK
\ACSBlob Key Usage OK
\ACSBlob Key Length OK
\ACSBlob Parse PFX OK
\ACSBlob Private Key OK
\ACSBlob Cert Chain OK
\ACSBlob Chain Order OK
\ACSBlob Other Certificates OK
\Admin Extension Host PFX Encryption OK
\Admin Extension Host Expiry Date OK
\Admin Extension Host Signature Algorithm OK
\Admin Extension Host DNS Names OK
\Admin Extension Host Key Usage OK
\Admin Extension Host Key Length OK
\Admin Extension Host Parse PFX OK
\Admin Extension Host Private Key OK
\Admin Extension Host Cert Chain OK
\Admin Extension Host Chain Order OK
\Admin Extension Host Other Certificates OK
\Public Extension Host PFX Encryption OK
\Public Extension Host Expiry Date OK
\Public Extension Host Signature Algorithm OK
\Public Extension Host DNS Names OK
\Public Extension Host Key Usage OK
\Public Extension Host Key Length OK
\Public Extension Host Parse PFX OK
\Public Extension Host Private Key OK
\Public Extension Host Cert Chain OK
\Public Extension Host Chain Order OK
\Public Extension Host Other Certificates OK
VERBOSE: Certificate Validation finished successfully and found no failures.
VERBOSE: Invoke-ScriptBlockWithRetries: attempt #1 of 5, retry sleep time is 10 seconds.
VERBOSE: Retrieved AD Group: CN=Azs-SecretEncryptor,CN=Users,DC=azurestack,DC=local
VERBOSE: Invoke-ScriptBlockWithRetries: attempt #1 of 5, retry sleep time is 10 seconds.
VERBOSE: Retrieved AD Group: CN=Azs-SecretEncryptor,CN=Users,DC=azurestack,DC=local
VERBOSE: Starting health check for Secret Rotation
VERBOSE: Testing current certificate trust
03/10/2021 23:55:15 : Starting Test-AzureStack
VERBOSE: Invoke-ScriptBlockWithRetries: retry #0 of 3, retry sleep time is 30 seconds.
VERBOSE: Invoke-ScriptBlockWithRetries: retry #0 of 3, retry sleep time is 30 seconds.
03/10/2021 23:55:42 : Launching AzsExternalCertificates
VERBOSE: Invoke-ScriptBlockWithRetries: retry #0 of 3, retry sleep time is 30 seconds.
03/10/2021 23:55:47 : PASS : Azure Stack External Certificate Trust Validation
Azure Stack Validation Summary
------------------------------
PASS Azure Stack External Certificate Trust Validation
VERBOSE: Preparing SecretRotationReadiness Test-AzureStack
VERBOSE: Running regular SecretRotationReadiness Test-AzureStack
VERBOSE: Invoke-ScriptBlockWithRetries: attempt #1 of 3, retry sleep time is 10 seconds.
03/10/2021 23:55:48 : Starting Test-AzureStack
VERBOSE: Invoke-ScriptBlockWithRetries: retry #0 of 3, retry sleep time is 30 seconds.
VERBOSE: Invoke-ScriptBlockWithRetries: retry #0 of 3, retry sleep time is 30 seconds.
03/10/2021 23:56:14 : Launching AzsHostingInfraSummary
03/10/2021 23:56:14 : Launching AzsPortalAPISummary
03/10/2021 23:56:14 : Launching AzsInfraRoleSummary
03/10/2021 23:56:14 : Launching AzsStoreSummary
03/10/2021 23:56:14 : Launching AzsSFRoleSummary
03/10/2021 23:56:15 : Launching AzsInfraCapacity
03/10/2021 23:56:15 : Launching AzsAcsSummary
VERBOSE: Invoke-ScriptBlockWithRetries: retry #0 of 3, retry sleep time is 30 seconds.
03/10/2021 23:56:40 : PASS : Azure Stack Portal and API Summary
03/10/2021 23:56:40 : PASS : Azure Stack ARM Certificate Summary
03/10/2021 23:56:48 : PASS : Azure Stack ACS Blob Service Summary
03/10/2021 23:56:51 : PASS : Azure Stack Data Store Servers
03/10/2021 23:56:51 : PASS : Azure Stack Data Store Cluster
03/10/2021 23:57:09 : PASS : Azure Stack Cloud Hosting Infrastructure Summary
03/10/2021 23:57:10 : PASS : Azure Stack Privileged Endpoint Service Fabric Cluster
03/10/2021 23:57:10 : PASS : Azure Stack Privileged Endpoint Service Fabric Nodes
03/10/2021 23:57:10 : PASS : Azure Stack Privileged Endpoint Service Fabric Applications
03/10/2021 23:57:10 : PASS : Azure Stack Privileged Endpoint Service Fabric Services
03/10/2021 23:57:10 : PASS : Azure Stack Support Ring Services endpoint Service Fabric Cluster
03/10/2021 23:57:10 : PASS : Azure Stack Support Ring Services endpoint Service Fabric Nodes
03/10/2021 23:57:10 : PASS : Azure Stack Support Ring Services endpoint Service Fabric Applications
03/10/2021 23:57:10 : PASS : Azure Stack Support Ring Services endpoint Service Fabric Services
03/10/2021 23:57:10 : PASS : Azure Stack Storage Services Service Fabric Cluster
03/10/2021 23:57:10 : PASS : Azure Stack Storage Services Service Fabric Nodes
03/10/2021 23:57:10 : PASS : Azure Stack Storage Services Service Fabric Applications
03/10/2021 23:57:11 : PASS : Azure Stack Storage Services Service Fabric Services
03/10/2021 23:57:11 : PASS : Azure Stack Fabric Management Controller Service Fabric Cluster
03/10/2021 23:57:11 : PASS : Azure Stack Fabric Management Controller Service Fabric Nodes
03/10/2021 23:57:11 : PASS : Azure Stack Fabric Management Controller Service Fabric Applications
03/10/2021 23:57:11 : PASS : Azure Stack Fabric Management Controller Service Fabric Services
03/10/2021 23:57:11 : PASS : Azure Stack Network Controller Service Fabric Cluster
03/10/2021 23:57:11 : PASS : Azure Stack Network Controller Service Fabric Nodes
03/10/2021 23:57:11 : PASS : Azure Stack Network Controller Service Fabric Applications
03/10/2021 23:57:11 : PASS : Azure Stack Network Controller Service Fabric Services
03/10/2021 23:57:23 : PASS : Azure Stack Infrastructure Capacity
03/10/2021 23:57:23 : PASS : Azure Stack Shared Volume Capacity
03/11/2021 00:02:46 : PASS : Azure Stack Infrastructure Role Instance Summary
03/11/2021 00:02:47 : PASS : Azure Stack Service Resource Consumption Summary
03/11/2021 00:02:47 : PASS : Azure Stack Infrastructure Clocks
Azure Stack Validation Summary
------------------------------
PASS Azure Stack Cloud Hosting Infrastructure Summary
PASS Azure Stack Infrastructure Role Instance Summary
PASS Azure Stack Infrastructure Capacity
PASS Azure Stack Shared Volume Capacity
PASS Azure Stack Portal and API Summary
PASS Azure Stack ARM Certificate Summary
PASS Azure Stack Data Store Cluster
PASS Azure Stack Data Store Servers
PASS Azure Stack ACS Blob Service Summary
PASS Azure Stack Privileged Endpoint Service Fabric Cluster
PASS Azure Stack Privileged Endpoint Service Fabric Nodes
PASS Azure Stack Privileged Endpoint Service Fabric Applications
PASS Azure Stack Privileged Endpoint Service Fabric Services
PASS Azure Stack Support Ring Services endpoint Service Fabric Cluster
PASS Azure Stack Support Ring Services endpoint Service Fabric Nodes
PASS Azure Stack Support Ring Services endpoint Service Fabric Applications
PASS Azure Stack Support Ring Services endpoint Service Fabric Services
PASS Azure Stack Storage Services Service Fabric Cluster
PASS Azure Stack Storage Services Service Fabric Nodes
PASS Azure Stack Storage Services Service Fabric Applications
PASS Azure Stack Storage Services Service Fabric Services
PASS Azure Stack Fabric Management Controller Service Fabric Cluster
PASS Azure Stack Fabric Management Controller Service Fabric Nodes
PASS Azure Stack Fabric Management Controller Service Fabric Applications
PASS Azure Stack Fabric Management Controller Service Fabric Services
PASS Azure Stack Network Controller Service Fabric Cluster
PASS Azure Stack Network Controller Service Fabric Nodes
PASS Azure Stack Network Controller Service Fabric Applications
PASS Azure Stack Network Controller Service Fabric Services
PASS Azure Stack Infrastructure Clocks
PASS Azure Stack Service Resource Consumption Summary
VERBOSE: Processing results of Test-AzureStack run after 03/10/2021 23:55:47.
VERBOSE: Test-AzureStack report did not contain any error.
VERBOSE: Test-AzureStack completed with warnings.
VERBOSE: Found the following warnings:
Result Errors TestName
------ ------ --------
WARN {} Azure Stack Infrastructure Clocks
VERBOSE: The 'Cancel-ActionPlanInstance' command in the ECEClient' module was imported, but because its name does not
include an approved verb, it might be difficult to find. The suggested alternative verbs are "Stop".
VERBOSE: Importing function 'Cancel-ActionPlanInstance'.
VERBOSE: Importing function 'Convert-HashTableToDictionary'.
VERBOSE: The 'Create-ActionPlanDescriptionObject' command in the ECEClient' module was imported, but because its name
does not include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-ActionPlanDescriptionObject'.
VERBOSE: The 'Create-ActionPlanInstanceDescriptionObject' command in the ECEClient' module was imported, but because
its name does not include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-ActionPlanInstanceDescriptionObject'.
VERBOSE: The 'Create-CancelActionPlanInstanceDescription' command in the ECEClient' module was imported, but because
its name does not include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-CancelActionPlanInstanceDescription'.
VERBOSE: The 'Create-CloudDefinitionDescription' command in the ECEClient' module was imported, but because its name
does not include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-CloudDefinitionDescription'.
VERBOSE: The 'Create-ECEAgentClient' command in the ECEClient' module was imported, but because its name does not
include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-ECEAgentClient'.
VERBOSE: The 'Create-ECEClientWithApplicationGateway' command in the ECEClient' module was imported, but because its
name does not include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-ECEClientWithApplicationGateway'.
VERBOSE: The 'Create-ECEClientWithServiceResolver' command in the ECEClient' module was imported, but because its name
does not include an approved verb, it might be difficult to find. The suggested alternative verbs are "New".
VERBOSE: Importing function 'Create-ECEClientWithServiceResolver'.
VERBOSE: Importing function 'Get-ActionPlanInstance'.
VERBOSE: Importing function 'Get-CloudDefinition'.
VERBOSE: Importing function 'Get-ECEServiceEndpoint'.
VERBOSE: Importing function 'Get-StampInformation'.
VERBOSE: Importing function 'Invoke-ActionPlanInstance'.
VERBOSE: Importing function 'Invoke-WithRetries'.
VERBOSE: The 'Monitor-ActionPlanInstance' command in the ECEClient' module was imported, but because its name does not
include an approved verb, it might be difficult to find. For a list of approved verbs, type Get-Verb.
VERBOSE: Importing function 'Monitor-ActionPlanInstance'.
VERBOSE: Importing function 'Resume-ActionPlanInstance'.
VERBOSE: Importing function 'Update-Endpoint'.
VERBOSE: Importing function 'Wait-ForActionPlanInstanceToComplete'.
VERBOSE: Importing function 'Write-ActionPlanSummaryProgress'.
VERBOSE: Create Client for execution of action plan
VERBOSE: Start action plan
VERBOSE: Action plan instance ID specified: 061b697c-a7d3-47a4-ac82-01a59f21ea2f
VERBOSE: StartTime: 03/11/2021 00:02:54
VERBOSE: Timeout estimate: 03/11/2021 04:02:54 .
VERBOSE:
Overall action status: 'Pending'
VERBOSE:
VERBOSE:
VERBOSE:
Overall action status: 'Pending'
VERBOSE:
VERBOSE:
VERBOSE: ActionPlanInstanceID: '061b697c-a7d3-47a4-ac82-01a59f21ea2f' CurrentStatus: 'Failed'
VERBOSE: Action plan finished with status: 'Failed'
Guid PSComputerName
---- --------------
061b697c-a7d3-47a4-ac82-01a59f21ea2f 192.168.200.224
PSComputerName : 192.168.200.224
RunspaceId : d572909e-b4e7-468e-a134-69334e4f4bee
InstanceID : 061b697c-a7d3-47a4-ac82-01a59f21ea2f
ActionPlanName :
ActionTypeName : ExternalCertRotation
RolePath : Cloud
ProgressAsXml :
Status : Failed
StartDateTime : 3/11/2021 12:02:54 AM
EndDateTime : 3/11/2021 12:03:08 AM
LastModifiedDateTime : 3/11/2021 12:03:08 AM
StartIndex :
EndIndex :
Skip : {}
Retries : 2
ParentActionPlanInstanceID : 00000000-0000-0000-0000-000000000000
LockType : ExclusiveLock
RuntimeParameters : {CertificatePassword, PathAccessPassword, PathAccessUserName, PfxFilesPath}
RemediationInstance :
OnCompleteInstance :
InstanceType : None
AdditionalInformation : System.InvalidOperationException: The specified ActionPlan 'ExternalCertRotation' does
not exist. Please check if it is spelled and capitalized correctly.
at CloudEngine.Configurations.Role.Action(String actionType)
at Microsoft.AzureStack.Solution.Deploy.EnterpriseCloudEngine.ActionPlanExecutionEngine
.ActionPlanExecutionEngine.<GetActionPlanDefinitionXml>d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.AzureStack.Solution.Deploy.EnterpriseCloudEngine.ActionPlanExecutionEngine
.ActionPlanExecutionEngine.<CreateActionPlanObject>d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.AzureStack.Solution.Deploy.EnterpriseCloudEngine.ActionPlanExecutionEngine
.ActionPlanExecutionEngine.<RunMainActionPlanInstance>d__25.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.AzureStack.Solution.Deploy.EnterpriseCloudEngine.ActionPlanExecutionEngine
.ActionPlanExecutionEngine.<InternalRunActionPlanInstanceInBackGround>d__23.MoveNext()
CorrelationRequestId : 8f2ee6e0-2458-4765-a0a7-979dd67fcfca
@Andreas Mertz My apologies for the delay on this one!
Secret rotation on the ASDK is not a supported scenario, and the failures you are getting is expected.
We will be updating the documentation as well to state this.