![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 28.999999999999996%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE3%3C/text%3E%3C/svg%3E)
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 97%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERI%3C/text%3E%3C/svg%3E)
The error you mentioned indicates your Fabric cluster deployment is failing to retrieve the storage account key needed to configure the AzureBlobServiceFabricEtw section, which is used for logging. Due to this the Fabric Deployer is not able to resolve the StoreConnectionString parameter, and the deployment is getting stuck. So just adding the secret to Key Vault or assigning a managed identity to the VM scale set might not be enough you have to explicitly link the VM scale set's managed identity to the Key Vault and grant it the appropriate permissions to access the secret.
Check the steps below to troubleshoot the issue:
1.Grant the VMSS Managed Identity access to Key Vault: There are two primary ways to grant access to the Key Vault, and it depends on your Key Vault's permission model.
· Using Access Policies: The most cause is that the managed identity of your VM scale set might not have the necessary "Get" and "List" secret permissions on the Key Vault. The Fabric deployment script, running on the VM, uses this identity to fetch the secret, and if it doesn’t have these permissions, it will fail. To fix this-
Go to the Azure portal, navigate to your Key Vault. Go to Access policies and add a new policy. Select the managed identity of your VM scale set (under the "Select principal" field). Under "Secret permissions," check the boxes for Get and List. Then, save the policy.
· __Using Azure Role-Based Access Control (RBAC):__Find the principalId of your VMSS managed identity. You can find this by running:
az vmss show --resource-group <resource-group-name> --name <vmss-name> --query "identity.principalId" -o tsv
Then assign the Key Vault Secrets User role to this principal ID. This role provides permission to read and list secrets from the Key Vault.
For more information, refer here: Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn
Tutorial - Use Azure Key Vault with an Azure web app in .NET | Microsoft Learn
2. Verify secrets in Key vault: Ensure that the secret name in Key Vault exactly matches the name referenced in your ARM template (StorageAccountKey1). Secret names are case-sensitive. And also check that the value of the secret is the actual storage account key, not the connection string as the Fabric Deployer will specifically require the key. You can also check using the command below:
az keyvault secret show --vault-name <YourKeyVaultName> --name StorageAccountKey1
3.Check the ARM/Bicep template references: check the Key Vault reference for the StoreConnectionString parameter is correct or not in the Service Fabric cluster template,
"value": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subId>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vaultName>"
},
"secretName": "StorageAccountKey1"
}}
4.Re-deploy the cluster:The deployment might be failing due to the above reasons. Once the secret and permissions are corrected, re-running the deployment should allow the FabricDeployer to successfully resolve the StoreConnectionString and complete the cluster setup.
Kindly check the above procedure provided to troubleshoot your issue. Let me know if you require any additional assistance from my end. I am happy to help you with the queries. If the information is helpful, please click on Upvote and Accept Answer on it so that it can help other community members.
Thanks,
Rashmika