No Permission to copy keys when using RBAC to replicate between sites

Andreas Svensson 21 Reputation points
2021-07-14T08:25:54.163+00:00

Hi!
I am trying to copy keys from one vault to an other to be able to decrypt disks in case we need to use site recover.
I am using the following method
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms
but I can´t set permission according to the guide since we are using RBAC.
I am able to authenticate and choose what servers and what vault the keys should be move from and to.

My account have the Key vault administrator role on both vaults, but when I run copy-keys.ps1 I get the following error

User with user id: XXX does not have access to the key vault XXX. Permitted object ids include - XXX

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,112 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
632 questions
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-07-14T16:19:52.9+00:00

    Hello @Andreas Svensson ,

    Thanks for reaching out.

    I digged into this issue and found that CopyKeys script completely relay on set-AzKeyVaultAccessPolicy cmdlet which belong to Access policy model since above error is expected when we use Azure Key Vault with Azure RBAC permission model instead Access policy model.

    Here is similar issue reported at GitHub : https://github.com/MicrosoftDocs/azure-docs/issues/78351

    Just wondering when you try with account which has Key vault administrator role along with Key Vault Contributor role. Please let us know outcome. Thanks !

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-08-02T12:55:55.157+00:00

    Hello @Andreas Svensson ,

    This issue has been reported to Azure site recovery team, meanwhile you can track the issue from GitHub : https://github.com/MicrosoftDocs/azure-docs/issues/78351 . Thanks.

    I would request you to "Accept the answer" so that this will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments
  2. Andreas Svensson 21 Reputation points
    2021-07-15T07:23:51.1+00:00

    Hi! @sikumars-msft
    Thanks for answering.

    With both roles Key vault administrator role and Key Vault Contributor I still get the same error unfortunately

    Starting CopyKeys for UserId: XXX, UserPrincipalName: XXX

    WARNING: CopyKeys not completed for XXX - XXX_OsDisk_1_XXX

    CopyKeys failed for XXX - XXX_OsDisk_1_XXX with -

    User with user id: XXX does not have access to the key vault XXX. Permitted obje
    ct ids include - XXX.
    At C:\Users\User\Desktop\keys.ps1:1569 char:5

    • throw [Errors]::UserMissingAccess($UserId, $KeyVaultName, $Access ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (User with user ...4-49166cc63316.:String) [], RuntimeException
    • FullyQualifiedErrorId : User with user id: XXX does not have access to the key vault XXX. Permitted object ids include - XXX