Retrieving Secret value from one ReourceGroup and apply to different ResourceGroup: BadRequest Error

[link78]

Now, Im trying to automate my secret creation. I have secret resource in different Resource Group that use the same secret value and Name. Im trying to retrieve the secret value in one Rg and apply to different Rg since they both are using the same secret Value and Name.

Here is my code:

// Retreiving KV
resource kvvalues 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: kvName
scope: resourceGroup(kvrg)
}

// Key Vault modules
module kv 'modules/bibSecrets-module.bicep' = {
scope: rg
name: 'kv'
params: {
environment_short: environment_short
SQL_BCPPwd: kvvalues.getSecret('SQL_BCPPwd')
SQL_BCPUser: kvvalues.getSecret('SQL_BCPPwd')
SQL_BHPwd: kvvalues.getSecret('SQL_BCPPwd')

}
}

Errors:

MultipleErrorsOccurred - Multiple error occurred: BadRequest,BadRequest,BadRequest,BadRequest,BadRequest,BadRequest,BadRequest,BadRequest,BadRequest,BadRequest. Please see details.
BadRequest - The secret of KeyVault parameter 'SQL_BCPPwd' cannot be retrieved. Http status code: 'BadRequest'. Error message: 'The request URI contains an invalid name:

SQL_BCPPwd'. Please see https://aka.ms/arm-keyvault for usage details.
BadRequest - The secret of KeyVault parameter 'SQL_BCPUser' cannot be retrieved. Http status code: 'BadRequest'. Error message: 'The request URI contains an invalid name:

SQL_BCPPwd'. Please see https://aka.ms/arm-keyvault for usage details.
BadRequest - The secret of KeyVault parameter 'SQL_BHPwd' cannot be retrieved. Http status code: 'BadRequest'. Error message: 'The request URI contains an invalid name:

[brwilkinson]

Can you try removing the scope value from whichever resource group you are deploying into.

There are 2 options..

1. you are deploying into the RG where the KV is deployed, then remove the scope from kvvalues resource.
2. you are deploying into the RG where the secrets are used, then remove the scope from the kv module.

[link78]

The KV existed in Rg1.
Im retrieving from Rg1 and applying into Rg2, but they have the same name and value.
Full Code:

@secure()
param FE_SQL_BCPPwd string

@secure()
param FE_SQL_BCPUser string

var keyVault_name_var = 'KIK${environment}KV1'

resource keyVault_name 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
name: keyVault_name_var
location: resourceGroup().location

properties: {
tenantId: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
sku: {
family: 'A'
name: 'standard'
}
enabledForTemplateDeployment: true
publicNetworkAccess: 'Enabled'
enableSoftDelete: true
softDeleteRetentionInDays: 90
accessPolicies: [
{
tenantId: ''
objectId: ''
permissions: {
keys: []
secrets: [
'get'
'list'
'set'
'delete'
'recover'
'backup'
'restore'
]
certificates: [
'get'
'list'
]
}
}
{
tenantId: ''
objectId: ''
permissions: {
keys: [
'get'
'list'
'update'
'create'
'import'
'delete'
'recover'
'backup'
'restore'
]
secrets: [
'get'
'list'
'set'
'delete'
'recover'
'backup'
'restore'
]
certificates: [
'get'
'list'
'update'
'create'
'import'
'delete'

      ]
    }
  }
  {
    tenantId: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    objectId: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    permissions: {
      keys: [
        
      ]
      secrets: [
       
      ]
      certificates: [
       
      ]
    }
  }
  
  }
]

}
}

resource keyVault_name_FE_SQL_BCPPwd 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
parent: keyVault_name
name: 'FE-SQL-BCPPwd'

properties: {
attributes: {
enabled: true
}
contentType: 'string'
value: FE_SQL_BCPPwd
}
}

resource keyVault_name_FE_SQL_BCPUser 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
parent: keyVault_name
name: 'FE-SQL-BCPUser'

properties: {
attributes: {
enabled: true
}
contentType: 'string'
value: FE_SQL_BCPUser
}
}

Module file code:*******************

resource kvvalues 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: kvName
scope: resourceGroup('RG1')
}

// // Key Vault modules
module kv 'modules/bibSecrets-module.bicep' = {
scope: rg2
name: 'kv'
params: {
environment_short: environment_short
FE_SQL_BCPPwd: kvvalues.getSecret('FE_SQL_BCPPwd')
FE_SQL_BCPUser: kvvalues.getSecret('FE_SQL_BCPPwd')
}
}

[brwilkinson]

like I mentioned, remove the scope property of whichever resource group you are deploying.

E.g. if you are deploying into rg2, then...

before

module kv 'modules/bibSecrets-module.bicep' = {
scope: rg2
name: 'kv'
params: {
environment_short: environment_short
FE_SQL_BCPPwd: kvvalues.getSecret('FE_SQL_BCPPwd')
FE_SQL_BCPUser: kvvalues.getSecret('FE_SQL_BCPPwd')
}
}

after

module kv 'modules/bibSecrets-module.bicep' = {
name: 'kv'
params: {
environment_short: environment_short
FE_SQL_BCPPwd: kvvalues.getSecret('FE_SQL_BCPPwd')
FE_SQL_BCPUser: kvvalues.getSecret('FE_SQL_BCPPwd')
}
}

[link78]

If i removed RG2 in the module file, im getting error: Scope "subscription" is not valid for this module. Permitted scopes: "resourceGroup".bicep(BCP134)

KV and secret are already created in RG01, so im retrieving secrets from RG01 and applying to RG02. they all have the same secret Name and secret Value.

[brwilkinson]

I see, so you are doing a subscription deployment, not a resource group deployment.

It looks like you have a permissions issue on the keyvault. Since you (or some other principal) are deploying, the identity needs the permissions on the keyvault.

What are you using for these values, are you adding your own identity?

accessPolicies: [
{
tenantId: ''
objectId: ''

Although not directly realted:
I would recommend to move away from using access policies and use RBAC authentication for the keyvault instead.

https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azurepowershell

[link78]

I am using TenantID and ObjectID for
accessPolicies: [
{
tenantId: ''
objectId: ''

I will look into RBAC for KV.
Second question: I have been trying to enable CDN MANAGED Certificate using Bicep but I am not able to get it to work. Any recommendation:

resource biberk_wildcard_2019 'Microsoft.Cdn/profiles/secrets@2020-09-01' = {
name: 'KeyVault1'
parent: testresearchcdn
properties: {
parameters: {
type: 'CustomerCertificate'
certificateAuthority: 'OU=http://certs.godaddy.com/repository/'
secretSource: {
id: ''
}
secretVersion: ''
subjectAlternativeNames: [
'*.example.com'
example.com'
]
useLatestVersion: false
}
}
dependsOn: [
test_researchcdn_biberk_com
]

}

[brwilkinson]

can you switch this out to a new discussion item. since the topic is different.