search

Azure / bicep-types-az

Bicep type definitions for ARM resources
MIT License
84 stars 27 forks source link

AzureKeyVault Secret deployment error message is empty #2011

Open jpalvarezl opened 9 months ago

jpalvarezl commented 9 months ago

Bicep version Bicep CLI version 0.24.24 (5646341b0c)

Describe the bug

I am new to bicep templates and I while looking at the documentation I wanted to find the best safe way to store my deployment secrets. In doing so, I found documentation pointing me towards using KeyVault and secrets. I created my keyvault manually (in the portal) paying special attention to assigning roles correctly to both myself and my service principal.

Despite this I was met with a BadRequest message for each of the deployment of my secrets.

To Reproduce Here is my bicep module to handle secrets:

@secure()
@description('Value of the secret to be stored')
param value string

@secure()
@description('Name of the key for the secret to be stored')
param name string

resource aoaiKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
  name: 'aoai-tests-keyvault'
}

resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
  parent: aoaiKeyVault
  name: name
  properties: {
    value: value
  }
}

Then I would use this module like so:


module cognitiveSearchEndpointSecret 'key_vault_store.bicep' = {
  name: 'cog-search-endpoint'
  params: {
    name: 'COGNITIVE_SEARCH_ENDPOINT'
    value: 'https://${cognitiveSearch.name}.search.windows.net'
  }
}

This resulted in the follow error message for the secret deployment

{
  "code": "DeploymentFailed",
  "target": "/subscriptions/e72e5254-f265-4e95-9bd2-9ee8e7329051/resourceGroups/josealvar-azd-tests-dev/providers/Microsoft.Resources/deployments/gpt-35-turbo-1106-openai-key",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
  "details": [
    {
      "code": "BadRequest",
      "message": ""
    }
  ]
}

Additional context After too many hours searching, I decided to try adding the secret manually, just to discard that it was an access policy issue. It turns out that the portal provides a very helpful hint for secret names:

image

I realize that this is a backend issue and not necessarily bicep. I am more than happy to relay this issue to a more appropriate audience if necessary.

stephaniezyen commented 9 months ago

Unfortunately this is a Microsoft.Keyvault RP issue. I can route it to that team, but if you would like to streamline the effort, please open a support ticket with the Keyvault RP team.

microsoft-github-policy-service[bot] commented 7 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa. Please see https://aka.ms/biceptypesinfo for troubleshooting help.