Azure Pipeline Key vault issue while creating DevTest Labs VM

Question

I want to create an Azure DevTest labs VM via pipeline process . However, when I start to deploy, it fails on the step "Create Azure DevTest Lab VM" and it seems to be caused by my key vault is missing. But after check my key vault, my secret is store in it and should be no problem with the permission.

Not sure the message "A secret store was not set up for the user." means, does it mean that there's a problem with the association between my account and the key vault? How can I verify this? Thanks.

Agent job: Create DevTest Labs VM

Win7entx64.json

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
    "newVMName": {
        "defaultValue": "win7entx64",
        "type": "String"
    },
    "labName": {
        "defaultValue": "my_lab",
        "type": "String"
    },
    "size": {
        "defaultValue": "Standard_A3",
        "type": "String"
    },
    "userName": {
        "defaultValue": "trendkj",
        "type": "String"
    },
    "password": {
        "type": "securestring",
        "defaultValue": "[[[VmPassword]]"
    }
},
"variables": {
    "labSubnetName": "[concat(variables('labVirtualNetworkName'), 'Subnet')]",
    "labVirtualNetworkId": "[resourceId('Microsoft.DevTestLab/labs/virtualnetworks', parameters('labName'), variables('labVirtualNetworkName'))]",
    "labVirtualNetworkName": "[concat('Dtl', parameters('labName'))]",
    "vmId": "[resourceId ('Microsoft.DevTestLab/labs/virtualmachines', parameters('labName'), parameters('newVMName'))]",
    "vmName": "[concat(parameters('labName'), '/', parameters('newVMName'))]"
},
"resources": [
    {
        "type": "Microsoft.DevTestLab/labs/virtualmachines",
        "apiVersion": "2018-10-15-preview",
        "name": "[variables('vmName')]",
        "location": "westus",
        "properties": {
            "labVirtualNetworkId": "[variables('labVirtualNetworkId')]",
            "notes": "Windows 7 Enterprise",
            "galleryImageReference": {
                "offer": "windows-7",
                "publisher": "microsoftwindowsdesktop",
                "sku": "win7-enterprise",
                "osType": "Windows",
                "version": "latest"
            },
            "size": "[parameters('size')]",
            "userName": "[parameters('userName')]",
            "password": "[parameters('password')]",
            "isAuthenticationWithSshKey": false,
            "labSubnetName": "[variables('labSubnetName')]",
            "disallowPublicIpAddress": true,
            "storageType": "Standard",
            "allowClaim": false
        }
    }
],
"outputs": {
    "labVMId": {
        "type": "String",
        "value": "[variables('vmId')]"
    }
}

}

My secret in the Key Vault:

My Access Policy in the Key Vault

Answer 1

According to your reference to key valut in arm template "defaultValue": "[[[VmPassword]]", you should use the secret saved in DevTest Lab. Page as shown below.

If you want to use the secret in the Key vault page as shown in the question, the reference in the arm template should be as follows:

"sqlAdministratorLoginPassword": {      
      "reference": {
          "keyVault": {
            "id": "/subscriptions/25abd97b-44a3-4092-8337-xxxx/resourceGroups/mykeyvault/providers/Microsoft.KeyVault/vaults/cmkvtest"
          },
          "secretName": "sqlpassword"
        }       
    }

About this, please refer to "3.ADD KEY VAULT SECRETS TO YOU ARM TEMPLATES" part of this artifact.

Answer 2

Are you missing a ']'?

[[[VmPassword]] --> [[[VmPassword]]]

Answer 3

It has been a time since this was posted. I am facing the same issue. The secret that you are setting in the Devtest lab is only visible for the user creating it.

The api gets more insights abaot the secret. For getting the secret is the following: GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DevTestLab/labs/{labName}/users/{userName}/secrets/{name}?api-version=2018-09-15 As you see there is also the username in the path.

So if you have UserA and UserB, UserA sets a secret in DTL lab, when UserB goes in My secrets it will not see the secret of UserA. He can even create a secret with the same name with a different value.

It is a shame that you can not have common secrets for all the users in a DevtestLab (maybe there is but i did not find it yet).

In other words you need to log in into the DTL with the user defined in the azure connection from Azure Devops and create the secret manually. Or create it from the pipeline under his context.

Reference:

https://learn.microsoft.com/en-us/rest/api/dtl/secrets/get

https://learn.microsoft.com/en-us/rest/api/dtl/secrets/create-or-update