Key Vault VM Windows extension deployment fails

Question

Hi all,

I am trying to deploy the KeyVault VM extension on my Virtual Machine. However, it fails with the below error message:"VM has reported a failure when processing extension 'KeyVaultForWindows' (publisher 'Microsoft.Azure.KeyVault' and type 'KeyVaultForWindows'). Error message: 'Unable to find secretsManagementSettings.'"

I am following the below official Microsoft doc:

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows?tabs=version3

-I have checked that my VM's Managed Identity has the needed permissions. The error code indicates that there is an issue with the Deployment template, but I can't figure it out. Below is the template I'm using where I masked the sensitive information:

{

    "type": "Microsoft.Compute/virtualMachines/extensions",

   "name": "KVVMExtensionForWindows",

   "apiVersion": "2023-07-01",

   "location": "location",

   "dependsOn": [

      "[concat('Microsoft.Compute/virtualMachines/',VMName)]"

   ],

   "properties": {

      "publisher": "Microsoft.Azure.KeyVault",

      "type": "KeyVaultForWindows",

      "typeHandlerVersion": "3.0",

      "autoUpgradeMinorVersion": true,

      "settings": {

         "secretsManagementSettings": {

             "pollingIntervalInS": "3600",

             "linkOnRenewal": true,

             "requireInitialSync": true,

             "observedCertificates":

             [

                {

                    "url":""url":"https://kvname.vault.azure.net/secrets/certificatename/

                    "certificateStoreName": "MY",

                    "certificateStoreLocation": "Local Machine",

                    "accounts": ["Network Service", "Local Service"]

                }

             ]

        },

      "authenticationSettings": {

         "msiEndpoint": "https://169.254.169.254/metadata/identity/oauth2/token"

      }

}

   }

}

I am putting the template in the "Settings" when I go to Extension + Applications. Any help would be appreciated to troubleshoot this. Thank you!

Answer 1

@Internal

When adding the extension via the poral you don't need to include the full JSON template. I believe you should just include what is under the settings.

     "secretsManagementSettings": {

             "pollingIntervalInS": "3600",

             "linkOnRenewal": true,

             "requireInitialSync": true,

             "observedCertificates":

             [

                {

                    "url":""url":"https://kvname.vault.azure.net/secrets/certificatename/

                    "certificateStoreName": "MY",

                    "certificateStoreLocation": "Local Machine",

                    "accounts": ["Network Service", "Local Service"]

                }

             ]

        },

      "authenticationSettings": {

         "msiEndpoint": "https://169.254.169.254/metadata/identity/oauth2/token"

      }

} Please try this and see if it resolves your issue. If not, we can work with you further to investigate.

---

If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!