Using certificate/secret from multiple KeyVault under different subscriptions in VMSS

717 views Asked by At

I am trying to install certificate from a KeyVault under a different subscription.

Currently my VMSS and KeyVault are under same subscription. I want to add one more certificate from a KeyVault which is located in a different subscription.

Below is the part of the VMSS resource template where I am trying to add the certificate secret URL.

"secrets": [
  {
    "sourceVault": {
      "id": "/subscriptions/xxxx/resourceGroups/resgroupname/providers/Microsoft.KeyVault/vaults/KV1"
    },
    "vaultCertificates": [
      {
        "certificateUrl": "certificate1 secret URL",
        "certificateStore": "My"
      }
    ]
  },
  {
    "sourceVault": {
      "id": "/subscriptions/yyyy/resourceGroups/resgroupname/providers/Microsoft.KeyVault/vaults/KV2"
    },
    "vaultCertificates": [
      {
        "certificateUrl": "certificate2 secret URL",
        "certificateStore": "My"
      }
]

While updating I am getting below error.

{ "error": { "code": "InvalidParameter", "message": "The SubscriptionId:"xxxx" of the request must match the SubscriptionId "yyyy" contained in the Key Vault Id.", "target": "sourceVault.id" } }

My VMSS is under subscription xxxx and Managed Identity is enabled and the resource ID is added in the access policy of the Key Vault which is in different subscription. Is it possible to achieve this? Please let me know if I can add more details.

1

There are 1 answers

0
Stringfellow On BEST ANSWER

No, not according to another question and answer I found. https://stackoverflow.com/a/39778536/2778027

The response appears to be from someone at Microsoft Azure.