如何在我的 Azure Data Lake Store 帐户上启用 AzureRmDataLakeStoreKeyVault？

Question

I did the following things to create an Azure Data Lake Store account and then try to enable a key vault for it:

New-AzDataLakeStoreAccount -ResourceGroupName TestRG -Name TestDLSA -Location "East US 2"
Enable-AzureRmDataLakeStoreKeyVault -Account TestDLSA

And received the following error:

Enable-AzureRmDataLakeStoreKeyVault : Operation EnableKeyVault is invalid under current encryption state or config of account.

What do I need to do to be able to correctly run Enable-AzureRmDataLakeStoreKeyVault on my Azure Data Lake Store account?

Answer 1

When you creating the dls, you need to pass the parameters as below. Otherwise, it creates the dls with Service managed encryption , ie -Encryption ServiceManaged .

New-AzDataLakeStoreAccount -ResourceGroupName <RG-name> -Name joydls -Location "East US 2" -Encryption UserManaged -KeyVaultId "<keyvault-resource-id>" -KeyName "testkey" -KeyVersion "444243d9xxxx8db2303d1"

To enable a user managed Key Vault for encryption, the service principal created automatically along with your dls needs the permission to access the key in your keyvault, so we need to configure the access policy for the service principal, run the command below after creating the dls, then it will work fine.

$ObjectId = (Get-AzDataLakeStoreAccount -ResourceGroupName <RG-name> -Name joydls).Identity.PrincipalId
Set-AzKeyVaultAccessPolicy -ResourceGroupName <RG-name> -VaultName joykeyvault -ObjectId $ObjectId -PermissionsToKeys encrypt,decrypt,get
Enable-AzDataLakeStoreKeyVault -Name "joydls"

Check in the portal:

---

Besides , I notice you are using the new Az module mixed with the old AzureRm , please don't do this, sometimes it will cause an error, I recommend you to just use the Az module Enable-AzDataLakeStoreKeyVault , because the AzureRm module has been deprecated and will not be updated.