Search code examples

Packer -ARM Builder Keyvault access denied to first party service

I have used the build_key_vault_name by brining my own keyvault which is having network restriction and allowed only to my private network within vnet however packer is somewhat using the Azure Compute to fetch the secret using a Public IP belongs to MS.

My Packer log

azure-arm: output will be in this color.
11:52:45  ==> azure-arm: Running builder ...
11:52:45  ==> azure-arm: Getting tokens using client secret
11:52:45  ==> azure-arm: Getting tokens using client secret
11:52:45      azure-arm: Creating Azure Resource Manager (ARM) client ...
11:52:45  ==> azure-arm: Using existing resource group ...
11:52:45  ==> azure-arm:  -> ResourceGroupName : 'images-storage-rg-01'
11:52:45  ==> azure-arm:  -> Location          : 'eastus2'
11:52:45  ==> azure-arm: Setting the certificate in the KeyVault...
11:52:45  ==> azure-arm: Getting the certificate's URL ...
11:52:45  ==> azure-arm:  -> Key Vault Name        : 'packer-kv-01'
11:52:45  ==> azure-arm:  -> Key Vault Secret Name : 'packerKeyVaultSecret'
11:52:45  ==> azure-arm:  -> Certificate URL       : ''
11:52:45  ==> azure-arm: Setting the certificate's URL ...
11:52:45  ==> azure-arm: Validating deployment template ...
11:52:45  ==> azure-arm:  -> ResourceGroupName : 'images-storage-rg-01'
11:52:45  ==> azure-arm:  -> DeploymentName    : 'pkrdpz90dt1tlc0'
11:52:45  ==> azure-arm: Deploying deployment template ...
11:52:45  ==> azure-arm:  -> ResourceGroupName : 'images-storage-rg-01'
11:52:45  ==> azure-arm:  -> DeploymentName    : 'pkrdpz90dt1tlc0'
11:52:45  ==> azure-arm: ERROR: -> DeploymentFailed : At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details.
11:52:45  ==> azure-arm: ERROR:   -> Conflict
11:52:45  ==> azure-arm: ERROR:   -> ResourceDeploymentFailure : The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.
11:52:45  ==> azure-arm: ERROR:     -> KeyVaultAccessForbidden : Key Vault either has not been enabled for deployment or the vault id provided, /subscriptions/****/resourceGroups/images-storage-rg-01/providers/Microsoft.KeyVault/vaults/packer-kv-01, does not match the Key Vault's true resource id.
11:52:45  ==> azure-arm:
11:52:45  ==> azure-arm: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details." Details=[{"code":"Conflict","message":"{\r\n  \"status\": \"Failed\",\r\n  \"error\": {\r\n    \"code\": \"ResourceDeploymentFailure\",\r\n    \"message\": \"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"KeyVaultAccessForbidden\",\r\n        \"message\": \"Key Vault either has not been enabled for deployment or the vault id provided, /subscriptions/****/resourceGroups/images-storage-rg-01/providers/Microsoft.KeyVault/vaults/packer-kv-01, does not match the Key Vault's true resource id.\"\r\n      }\r\n    ]\r\n  }\r\n}"}]
11:52:45  ==> azure-arm: 
11:52:45  ==> azure-arm: The resource group was not created by Packer, deleting individual resources ...
11:52:45  ==> azure-arm: Removing the created Deployment object: 'pkrdpz90dt1tlc0'
11:52:45  ==> azure-arm: 
11:52:45  ==> azure-arm: The resource group was not created by Packer, not deleting ...
11:52:45  Build 'azure-arm' errored after 1 minute 17 seconds: unexpected EOF

My Keyvault audit logs

Access denied to first party service.
Caller: name=Compute;tid=f8cdef31-a31e-4b4a-93e4-5f571e91255a;appid=579d9c9d-4c83-4efc-8124-7eba65ed3356;oid=9486e527-3706-4e7b-8295-613aac964938;iss=

Public IP: Operation: SecretGet


  • What is this Object ID belonging to (ms tenant) 9486e527-3706-4e7b-8295-613aac964938 ?
  • Why is Packer using "MS managed SPN" to fetch the secret and not the SPN that I gave?
  • Why does the key vault get secret operation initiated from MS public IP and not the private IP?


  • Found the issue, The problem is we need to enable the below two option on the new keyvault

    • Azure Virtual Machines for deployment

    • Azure Resource Manager for template deployment

    enter image description here

    This will give the right access for packer(arm) to write the secret into the keyvault