How to grant permissions to imported keys in Azure Key Vault Managed HSM

Question

Hey folks,

Your advice is highly appreciated. I'm having trouble with granting permissions to Imported rsa keys in Azure Managed HSM.

I wish to use our own generated RSA keys for PostgreSQL flexible server for Data encryption in Azure. What have I done so far:

• I have enabled and configured Azure Key Vault Managed HSM.
• Created a new User assigned managed identity
• Granted 'Managed HSM Crypto Service Encryption User' role to the managed identity in the HSM Local RBAC with the scope '/'
• I have generated 2048 bit RSA key with ssh-keygen
• I have imported the key into the HSM Keys

Now when I try to use the Imported key, I use the created Managed Identity and then select the imported key from the Managed HSM, but get:

AzureKeyVaultMissingPermissions The server requires following Azure Key Vault permissions: 'Get, WrapKey, UnwrapKey'. Please grant any missing permissions to the service principal with ID ...

For testing I Generated a new RSA key and I can use the Generated RSA key with the same length in the same Managed HSM. Visually the keys look the same.

I have been searching and reading the documentation, but can't figure out what am I missing?

Thank you!!!

Answer 1

Hi Raul Siim, I want to help you with this question.

I think you forgot to set the Azure key vault access policy settings. At least, the error message looks like that.

So you need to add the access policy permissions Get, WrapKey, UnwrapKey' of the keys in the Azure key vault for the managed identity.

See also: https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

---

If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

Answer 2

@Raul Siim

Thank you for your detailed post!

Error Message:

AzureKeyVaultMissingPermissions The server requires following Azure Key Vault permissions: 'Get, WrapKey, UnwrapKey'. Please grant any missing permissions to the service principal with ID ...

I understand that you're trying to generate your own RSA keys for your PostgreSQL flexible server to implement Data encryption, but after importing your key and using the Managed Identity, you're running into the error message above. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.

---

Findings:

I'm not too familiar with PostgreSQL flexible server but from the Key Vault side of things, it sounds like you configured everything correctly, since you created a new role assignment, and assigned the Managed HSM Crypto Service Encryption User role to your Managed Identity (for your KV), which would then give it the correct wrap/unwrap permissions.

When reviewing the steps that you've taken so far, I noticed that you created a new user-assigned managed identity and granted this managed identity the correct Crypto Service Encryption User RBAC role. However, from your error it mentions the server requiring the permissions - did you also make sure to assign the user-assigned managed identity to your PostgreSQL flexible server?

• If you're still having issues, the Service Principal ID within your error message, is that the same ID as your Managed Identity?

---

Additional Links:

• 401 AzureKeyVaultMissingPermissions
• Requirements for configuring data encryption for Azure Database for PostgreSQL Flexible server
• PostgreSQL Flexible Server - Using Azure Key Vault Managed HSM

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.