Getting "Caller needs data action" while enabling Azure Disk Encryption on Windows VM.

Amjad Nagori 286 Reputation points
2021-09-29T11:24:53.267+00:00

Hello All,

I am getting below error while trying to enable Azure Disk Encryption for my VM. I tried with recreating VM and Key Vault both but still getting same issue.

I do have full rights in Key Vault access policy and its also enabled for Azure VM Encryption, still getting this error.

136264-image.png

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,115 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,125 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
160 questions
Accepted answer
  1. KarishmaTiwari-MSFT 18,367 Reputation points Microsoft Employee
    2021-09-30T00:42:42.05+00:00

    Can you please confirm that you have been assigned the role as "Owner" for the subscription you are using?

    We have seen this issue occur when the user have 'Service Administrator' role instead of 'Owner' role. Unfortunately Service Administrator role role does not support changing permission model as mentioned in the below document:
    https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    Let me know and if this is not the reason, I can further investigate. Thanks.

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TravisCragg-MSFT 5,676 Reputation points Microsoft Employee
    2021-09-30T00:25:22.163+00:00

    This error is most likely an issue with your permissions as stated. Key Vault permissions are strange, as there are roles that will allow you to create and delete Key Vaults, but not access the keys inside of them.

    The error you are getting is on listing the keys inside of a Key Vault, so it sounds like this is the case. Try adding yourself tp the roles of "Key Vault Reader" and "Key Vault Administrator" to your Key Vault and try this again.

    If that does not work, the next step will be to work with support.

    0 comments
  2. Valentine Masina 6 Reputation points
    2021-10-14T14:28:19.977+00:00

    Thanks to karishmatiwari for the heass up. Please pass these to the Azure design team. Why are we by default only service administrators on the keyvault service? Owner role by default makes senses because all keyvault permissions are needed by the one who creates the service especially if you are the account owner.

    0 comments
  3. Craig 1 Reputation point
    2022-02-01T20:56:55.487+00:00

    I also was only Service Administrator but not Owner. Error went away after making myself Owner and I was able to finish the encrypt (enabling Azure Disk Encryption).

    Here is the error text in case others like me search for it and didn't find it because the text from this error can't be copied off the portal for some reason -

    Caller needs data action: 'Microsoft.KeyVault/vaults/keys/read' to perform action on resource: /subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.KeyVault/vaults/VAULTNAME. For more information, please see: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

    0 comments
  4. Ajeet Mishra 1 Reputation point
    2022-02-03T05:08:57.907+00:00

    I was facing same issue and having only Service Administrator but not Owner. Error went away after making myself as Owner and I was able to finish the encrypt (enabling Azure Disk Encryption).

    0 comments