Azure storage account encryption with customer managed keys
Question
I have added below properties to arm template ( link ) to create storage accounts and encrypt them with customer managed keys.
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyname": "xxxx",
"keyversion": "xxxxxx",
"keyvaulturi": "xxxxxxx"
}
But when I try to create this resource I get
"Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account."
2 answers
solution1
0 2021-01-07 21:05:11
The reason is the storage account service principal(managed idendity) is not having access to the encryption key in Azure key vault. You cannot give the access in advance until storage account (service principal - managed idendity) is created.
But I see that the storage account managed identity is not created automatically. It is created at the time when we enable the encryption.
solution2
0 2022-04-14 13:26:37
I have faced this too, MS doc and this answer were helpeful.
Here is why this is happening actually ( from the MS doc ):
Choose a managed identity to authorize access to the key vault
When you enable customer-managed keys for a storage account, you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault.
The managed identity that authorizes access to the key vault may be either a user-assigned or system-assigned managed identity, depending on your scenario:
When you configure customer-managed keys at the time that you create a storage account, you must specify a user-assigned managed identity. When you configure customer-managed keys on an existing storage account, you can specify either a user-assigned managed identity or a system-assigned managed identity.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.