Share via

Installing keyvault extension on Azure Linux - keyvault extension not respecting keyVaultId

Ranjith Chevanan 20 Reputation points
2025-01-31T18:32:15.1833333+00:00

Hello there,

I'm trying to setup a simple prototype where I can pull a certificate from AKV automatically to my Azure Linux VM. Please note that we have the VM and the KeyVault created in the same subscription but different ResourceGroups. Assume the name of the VM resource group is vmrg and keyvault resource group is kvrg. I tried the following steps

  1. Enabled Managed Identity for the Azure VM and assigned all the necessary roles at the right level from the portal.
  2. Tried to install the keyvault extension from the portal. The below is the settings file we use.

Please note the usage of the keyVaultId to make sure the VM accesses the keyvault from the correct resource group and not the default of the VMs. Even after this setup the deployment of the extension keeps failing saying 'ParentResourceNotFound' and the Message says

Failed to perform 'write' on resource(s) of type 'vaults/accessPolicies', because the parent resource '/subscriptions/<id>/resourceGroups/vmrg/providers/Microsoft.KeyVault/vaults/<kvname>' could not be found.

Note: I have tested from the VM that it has permissions to the keyvault to read secrets using Azure CLI.

Please help me here as I'm stuck with the next steps.

settings.json

{
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "name": "KeyVaultExtension",
      "apiVersion": "2023-03-01",
      "location": "Central US",
      "dependsOn": [
          "[concat('Microsoft.Compute/virtualMachines/', 'vmname')]"
      ],
      "properties": {
      "publisher": "Microsoft.Azure.KeyVault",
      "type": "KeyVaultForLinux",
      "typeHandlerVersion": "3.0",
      "autoUpgradeMinorVersion": true,
      "enableAutomaticUpgrade": false,
      "settings": {
        "keyVaultId": "/subscriptions/<id>/resourceGroups/kvrg/providers/Microsoft.KeyVault/vaults/<kvname>", // Key Vault resource ID
        "requireInitialSync": false,
        "secretsManagementSettings": {
          "pollingIntervalInS": "60",
          "linkOnRenewal": true,
          "observedCertificates":
          [
              {
                  "url": "https://kvname.vault.azure.net/secrets/certname",
              }
          ]
        },
        "authenticationSettings": {
            "msiEndpoint":  "http://169.254.169.254/metadata/identity/oauth2/token",
            "msiClientId":  "<managedid>"
        }      
       }
      }
    }
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,368 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,332 questions
Accepted answer
  1. Mounika Reddy Anumandla 2,265 Reputation points Microsoft Vendor
    2025-02-03T05:21:00.26+00:00

    Hi Ranjith Chevanan,

    As of the documentation, this extension officially supports only Ubuntu 20.04, Ubuntu 22.04, and Azure Linux distributions. https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux?tabs=version3#azure-cli-deployment

    Operating system

    The Key Vault VM extension supports these Linux distributions:

    Let me know if you have any further queries!

    If the comment is helpful, please click "upvote" to let us know.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.