Cannot work with Azure Key Vault certificate in "Azure PowerShell script" step

Sorin_Pasa · 28 September 2017 12:49

Hi all,
I need to work with Azure Key Vault certificates in my powershell script, but I get this error:

Invoke-Expression : The term ‘Get-AzureKeyVaultCertificate’ is not recognized
as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is
correct and try again.

At C:\Octopus\Work\20170928123911-9\ResourceProvisioning\Octopus.AzureContext.p
s1:99 char:5

Invoke-Expression ". $OctopusAzureTargetScript $OctopusAzureTarge ...

```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : ObjectNotFound: (Get-AzureKeyVaultCertificate:St
  ring) [Invoke-Expression], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Co
  mmands.InvokeExpressionCommand
  The remote script failed with exit code 1
  Start provisioning on the Octopus Server

I have tried adding “Import-Module AzureRM.KeyVault -Global -Force” in the script, but to no avail.
Octopus version is 3.11.7.
Please advise.

Thanks!

Dalmiro · 28 September 2017 19:16

Hi,

Thanks for reaching out! Its highly possible that the version of the AzureRM module bundled in in your Octopus version didn’t had that cmdlet yet.

Could you add an Azure Powershell Script step to your deployment process, run the below command and send me the output?

"Getting module info"
Get-Module AzureRM.KeyVault -ListAvailable | Format-List
"Getting module's commands"
Get-Command -module AzureRM.KeyVault

Thanks,
Dalmiro

Dalmiro · 28 September 2017 20:17

I can confirm that the Cmdlet is there in the latest version of Octopus. I’m still trying to figure out in which version of Calamari it was introduced though.

If upgrading to the latest is not an option for you, you can always tell Octopus not to import the built-in version of the Azure module, and instead use the one in the machine (which can be any version you download). https://octopus.com/docs/guides/azure-deployments/running-azure-powershell/configuring-the-version-of-the-azure-powershell-modules

Sorin_Pasa · 29 September 2017 06:41

Hello,

Thank you very much for your fast input, I did try the solution to set the “Octopus.Action.Azure.UseBundledAzurePowerShellModules” variable to False, but when I do that I get :

The term ‘Get-AzureRmEnvironment’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.

although it works without issues in the PowerShell console on the Octopus server.

I will talk to our server team to upgrade Octopus as fast as they can.

Thanks,
Sorin

Dalmiro · 29 September 2017 18:40

Hi Sorin,

When you set Octopus.Action.Azure.UseBundledAzurePowerShellModules to false it tells Octopus to use the modules installed on the server. Powershell has quite a few directories for the modules, and at least one of them is limited to the user running the command. I’m mentioning this just in case you don’t have the AzureRM module installed in one of the global locations such as C:\Windows\System32\WindowsPowerShell\v1.0\Modules

That said, upgrading your server should definitely fix this situation.

Best regards,
Dalmiro

Sorin_Pasa · 5 October 2017 13:42

Hi Dalmiro,

Thank you again for the advice, we updated Octopus to the latest version and now the ‘Get-AzureKeyVaultCertificate’ cmdlet works, but only if the certificate exits in the Azure Vault.
If the certificate is not there, Octopus throws an error:

Get-AzureKeyVaultCertificate : Certificate not found: bgselfsigned01
At C:\Octopus\Work\20171005132713-5876-10\ResourceProvisioning\Modules\bgHelpers\bgHelpers.psm1:213 char:13

$cert = Get-AzureKeyVaultCertificate -VaultName $vaultName -Name …
CategoryInfo : NotSpecified: ( [Get-AzureKeyVaultCertificate]
, KeyVaultErrorException
FullyQualifiedErrorId : Microsoft.Azure.KeyVault.Models.KeyVaultErrorExc
eption,Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificate
The remote script failed with exit code 1
Start provisioning in test on the Octopus Server

My command is :

$cert = Get-AzureKeyVaultCertificate -VaultName $vaultName -Name $certName -ErrorAction SilentlyContinue

The script works without any issues when running from local PowerShell or from the PowerShell console on the Octopus server.

Thank you again for your support!

Best regards,
Sorin

Dalmiro · 5 October 2017 15:07

Hi Sorin,

This is the second time we hear from a user running into this behavior. It seems like Azure cmdlets and non-azure cmdlets are treating errors in a different way. In the below ticket I explain a bit more why we think this is happening and I recommend the user to use Try\Catch to wrap the Azure cmdlet. I recommend you to do the same thing.

https://help.octopusdeploy.com/discussions/problems/58500-erroraction-in-azurerm-cmdlet#comment_43528442

Regards,
Dalmiro

Sorin_Pasa · 5 October 2017 19:02

Hi Dalmiro,
Thanks for the info, I’ll try and let you know if it works.
Best regards,
Sorin

De la: Dalmiro Grañas
Trimis: joi, 5 octombrie, 18:07
Subiect: Re: Cannot work with Azure Key Vault certificate in “Azure PowerShell script” step [Problems #59507]
Cãtre: Sorin Pasa

Sorin_Pasa · 6 October 2017 08:41

Hi Dalmiro,

This works great, thanks!

All the best,
Sorin

From: Sorin Pasa
Sent: Thursday, October 5, 2017 10:02 PM
To: Dalmiro Grañas tender2+d728d1f8a0@tenderapp.com
Subject: Re: Cannot work with Azure Key Vault certificate in “Azure PowerShell script” step [Problems #59507]

Hi Dalmiro,
Thanks for the info, I’ll try and let you know if it works.
Best regards,
Sorin
De la: Dalmiro Grañas
Trimis: joi, 5 octombrie, 18:07
Subiect: Re: Cannot work with Azure Key Vault certificate in “Azure PowerShell script” step [Problems #59507]
Cãtre: Sorin Pasa

Dalmiro · 6 October 2017 15:02

Awesome!