none
ARM Deployment of HDI/Spark with KeyVault

    Question

  • Hi guys,

    I basically want to create my HDI/Spark Cluster which accesses an Azure Data Lake Store by using ARM templates and also Azure Key Vault.

    So far I created the cluster manually and stored the ARM template. Then I tried to populate the sensitive values from Azure Key Vault but I am struggeling how to pass in the "identityCertificate" correctly. 

    I also followed this steps to create the Certificate and everything: https://github.com/Azure/azure-quickstart-templates/tree/master/201-hdinsight-datalake-store-azure-storage 
    and then this steps to upload the certificate into the KeyVault: https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/

    However, referenceing the KeyVault secret in my ARM template always ends up in this error:
    { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "InvalidDocumentErrorCode", "message": "DeploymentDocument 'AmbariConfiguration_1_7' failed the validation. Error: 'Error while getting access to the datalake storage account gbhdi: The specified network password is not correct.\r\n.'" } ] } }

    doing everything manually using same certificate etc. works just fine

    any ideas on this?

    thanks in advance,
    -gerhard


    Gerhard Brueckl
    blogging @ http://blog.gbrueckl.at
    working @ http://www.pmOne.com


    Thursday, August 17, 2017 10:39 AM

Answers

  • seems like I found the issue and it is actually related to the previously failed ARM deployments which leave some fragments of the HDI cluster and new deployments do not overwrite these fragments but use the old settings

    after deleting the cluster (which was not working anyway) I could deploy it as expected.

    However, it is worth mentioning that the certificate has to be stored in KeyVault as Secret and not as Key and that it has to be base64 encoded!

    here is the PowerShell script that I used:

    # Add Certificate to KeyVault
    $base64Cert = [System.Convert]::ToBase64String((Get-Content $certFilePath -Encoding Byte))
    $base64Cert | Out-File $certFilePath.Replace(".pfx", ".base64.txt")
    $cer3 = Set-AzureKeyVaultSecret -VaultName $vaultName -Name $certName -SecretValue (ConvertTo-SecureString –String $base64Cert –AsPlainText –Force)

    hope that helps other people facing the same issue!

    -gerhard


    Gerhard Brueckl
    blogging @ http://blog.gbrueckl.at
    working @ http://www.pmOne.com

    Friday, August 18, 2017 11:56 AM

All replies

  • Hi guys,

    I basically want to create my HDI/Spark Cluster which accesses an Azure Data Lake Store by using ARM templates and also Azure Key Vault.

    So far I created the cluster manually and stored the ARM template. Then I tried to populate the sensitive values from Azure Key Vault but I am struggeling how to pass in the "identityCertificate" correctly. 

    I also followed this steps to create the Certificate and everything: https://github.com/Azure/azure-quickstart-templates/tree/master/201-hdinsight-datalake-store-azure-storage 
    and then this steps to upload the certificate into the KeyVault: https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/

    However, referenceing the KeyVault secret in my ARM template always ends up in this error:
    { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "InvalidDocumentErrorCode", "message": "DeploymentDocument 'AmbariConfiguration_1_7' failed the validation. Error: 'Error while getting access to the datalake storage account gbhdi: The specified network password is not correct.\r\n.'" } ] } }

    doing everything manually using same certificate etc. works just fine

    any ideas on this?

    thanks in advance,
    -gerhard


    Gerhard Brueckl
    blogging @ http://blog.gbrueckl.at
    working @ http://www.pmOne.com

    Thursday, August 17, 2017 12:07 PM
  • You may refer the MSDN thread which addresses similar query and see if that helps.

    Also, I’m moving this thread to appropriate forum for better audience.

    -----------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, August 17, 2017 2:54 PM
    Moderator
  • thanks for the reply but the thread you referred to does not use KeyVault but pure PowerShell.

    So far I could not make it work using KeyVault or any of the Base64-Strings that the PowerShell script would return directly in the ARM template

    is there any example how this can be accomplished? passing the certificate directly in ARM as plain text?

    maybe this would help to solve my issue

    -gerhard


    Gerhard Brueckl
    blogging @ http://blog.gbrueckl.at
    working @ http://www.pmOne.com

    Friday, August 18, 2017 6:43 AM
  • seems like I found the issue and it is actually related to the previously failed ARM deployments which leave some fragments of the HDI cluster and new deployments do not overwrite these fragments but use the old settings

    after deleting the cluster (which was not working anyway) I could deploy it as expected.

    However, it is worth mentioning that the certificate has to be stored in KeyVault as Secret and not as Key and that it has to be base64 encoded!

    here is the PowerShell script that I used:

    # Add Certificate to KeyVault
    $base64Cert = [System.Convert]::ToBase64String((Get-Content $certFilePath -Encoding Byte))
    $base64Cert | Out-File $certFilePath.Replace(".pfx", ".base64.txt")
    $cer3 = Set-AzureKeyVaultSecret -VaultName $vaultName -Name $certName -SecretValue (ConvertTo-SecureString –String $base64Cert –AsPlainText –Force)

    hope that helps other people facing the same issue!

    -gerhard


    Gerhard Brueckl
    blogging @ http://blog.gbrueckl.at
    working @ http://www.pmOne.com

    Friday, August 18, 2017 11:56 AM
  • Glad to hear that you have found an answer. Appreciate for sharing the steps which helped you, this would certainly benefit other community members.

    -----------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Friday, August 18, 2017 2:16 PM
    Moderator