Cant use CMK encryption on Storage Account using User-Managed Identity

Question

Hi, I need help.

I have an storage account with an private endpoint, and I want to encrypt the data using a CMK. The Keyvault is also with a private endpoint and when I try to connect both using a user-assigned identity i get this error:

The thing is that I've given the user all possible permissions on the key vault and the storage account. Furthermore, when I change the networking configuration of the keyvault and I allow all networks, it works. So it seems that is because the user-assigned can't reach to the vault, but I dont know how to solve it without taking the private endpoint.

Answer

@Santi
Thank you for your post!

From the article https://aka.ms/storagekeyvaultaccesspolicy within your error, the managed identity mi-keyvault-test-001 doesn't have the proper permissions to access Key Vault kv-test-010.

Troubleshooting:

Following the Configure encryption with customer-managed keys stored in Azure Key Vault documentation, you'll need to add your managed identity to your Key Vault's access policies.

1) Navigate to your Key vault kv-test-010
2) From the Overview page, confirm Soft-delete and Purge Protection are enabled for your vault, since this is required by Azure Storage encryption.

3) Select Access Policies, then Add Access Policies.

4) Select the permissions you'd like your Managed Identity to have. I selected the Azure Data Lake Storage or Azure Storage template.
5) Select your managed identity mi-keyvault-test-001 as the principal. Select Add, then Save.

6) Navigate to your Storage account and retry the operation.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Cant use CMK encryption on Storage Account using User-Managed Identity

1 answer