Azure Local single-node deployment fails with SecretNotFoundException

Question

Hello,

I am trying to deploy an Azure Local (Azure Stack HCI) instance on a single node.

Azure Stach HCI OS v.2511

The deployment consistently fails during Environment Checker with:

Exception
Type 'InvokeEnvironmentChecker' of Role 'DeploymentService' raised an exception: 
Exception calling "GetCredential" with "1" argument(s): "Exception of type 
'CloudEngine.Configurations.SecretNotFoundException' was thrown." at 
InvokeEnvironmentChecker, 
C:\NugetStore\Microsoft.AzureStack.Role.Deployment.Service.10.2510.0.1134\content\Classes\DeploymentService\Helpers\InvokerHelpers.psm1: line 64 at 
InvokeEnvironmentChecker, 
C:\NugetStore\Microsoft.AzureStack.Role.Deployment.Service.10.2510.0.1134\content\Classes\DeploymentService\DeploymentService.psm1: line 63 at <ScriptBlock>, 
C:\NugetStore\Microsoft.AzureStack.Solution.LCMControllerWinService.10.2510.0.1126\content\LCMControllerWinService\InvokeInterfaceInternal.psm1: line 165 at Invoke-
EceInterfaceInternal, 
C:\NugetStore\Microsoft.AzureStack.Solution.LCMControllerWinService.10.2510.0.1126\content\LCMControllerWinService\InvokeInterfaceInternal.psm1: line 160 at 
<ScriptBlock>, <No file>: line 50

Has anyone else experienced this?

Thank you in advance!

Answer 1

Hi Maksim Karpenko

Thank you for reaching out regarding the deployment failure on your Azure Local (Azure Stack HCI) single-node environment.

Based on the error you provided:

Exception calling "GetCredential" with "1" argument(s):

'Exception of type 'CloudEngine.Configurations.SecretNotFoundException' was thrown.'

This indicates that the deployment is unable to locate the required Service Principal (SPN) credentials. These credentials are necessary for the Environment Checker and deployment engine to validate and configure your Azure Local environment.

Could you please follow below steps:

1. Create a Service Principal (SPN)

• Sign in to the Azure Portal.
• Navigate to Azure Active Directory → App registrations → New registration.
• Provide the required details and click on register to create SPN.

2. Create a Client Secret

• Go to the newly created SPN and navigate to Certificates & Secrets → New client secret.
• Enter a description and set an expiry period (e.g., 1–2 years).
• Copy the generated Value immediately; this will be used in later steps.

3.Assign a Role to the SPN

• Navigate to your Subscription → Access Control (IAM) → Add role assignment.
• Select the Role: Azure Resource Bridge Deployment Role.
• Assign the SPN as a Member and save the changes.

4.Configure the SPN:

Note: These commands should be executed on the seed node running the deployment. The seed node is identified by the presence of the C:\ECEStore folder, usually the first host in the ARM template or portal node list.

Import-Module C:\CloudDeployment\ECEngine\EnterpriseCloudEngine.psd1
Import-Module ECEClient

#Set the SPN credentials in variables:

$appId = "<application (client) Id>"  
$secret = "<hci secret value (not secret Id)>"
$password = ConvertTo-SecureString  $secret -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($appId, $password)

#Configure the credentials in ECEStore:
Set-ECESecret -ContainerName "DefaultARBApplication" -Credential $cred | Out-Null
Set-ECEServiceSecret -ContainerName "DefaultARBApplication" -Credential $cred | Out-Null

This completes the setup of the SPN for deployment. The SPN now has the necessary permissions, and the deployment will succeed.

Hope this helps! Please let me know if you have any queries.