Not able to fetch key when creating disk encryption set

Question

Not able to fetch key when creating disk encryption set

sns 9,246

I have created azure key vault and then keys and added respective access policy resources and provided the access for that.
But keys I have crated is not showing up in the list when tried to disk encryption set. Please find below screenshots. Please suggest.

Accepted answer

0 additional answers

Your answer

Answer 1

JamesTran-MSFT 36,906 Microsoft Employee Moderator

@sns
Thank you for your post!

Error Message:
Caller needs data action: 'Microsoft.KeyVault/vaults/keys/read' to perform action on resource: ....... /vaults/DataDiskKeyVault. For more information, please see: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

Since I wasn't able to reproduce your issue, and from your error message it looks like your Key Vault is using the Azure RBAC permissions model to grant user's access. You mentioned assigning the respective access policies within your initial post, but can you make sure that you have the correct RBAC (IAM) role, so you can use your Azure key vault with your disk encryption set.

Add an Azure RBAC role
Note: You'll need to add a Key Vault role with the "/keys/read" operation. For more info - Access policy templates to Azure roles mapping.

From your Key Vault - DataDiskKeyVault, select Access Control (IAM).
Select Role Assignments, ensure that your user has the correct role assigned.
If not, select Add, Add Role Assignment.
Search for Key Vault and select the appropriate role.

If you want to use the Key Vault Access Policies, instead of Azure RBAC for your Key Vault, you can change your Access Configurations and assign your user the correct access policies.

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

sns 9,246 Reputation points

2022-12-30T08:55:35.493+00:00

Hi JamesTran,

Thank you for the response.
I have tried above steps by providing respective VM name ( already enabled identity for this VM) in the principle section while granting access.
But still the same problem,. Please suggest further. Thank you.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2022-12-30T23:39:59.707+00:00
@sns
Thank you for following up on this!

Error Message:
Caller needs data action: 'Microsoft.KeyVault/vaults/keys/read' to perform action on resource: ....... /vaults/DataDiskKeyVault. For more information, please see: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

When deploying your Disk Encryption Set, are you using the same user that you used to create your Key Vault and Key? If so, can you make sure that this user has the appropriate Key Vault RBAC Role (Key Vault Administrator, Owner, or Contributor) or access policy assigned?

If not, the Access Policy or Key Vault RBAC role needs to be assigned to the user deploying the Disk Encryption Set and not the VM.

If you're still having issues and would like to work closer with our support team, please let me know.
Thank you for your time and patience throughout this issue.
sns 9,246 Reputation points

2022-12-31T09:45:14.233+00:00
Hi James Tran,

Thank you for further support.
I have used same user at key vault and at Disk encryption and it worked when I gave key valut admin for that user after your suggestion. thank you.
however there are 2 issues which are below:

key is fetching but not secret even though secret is there in the respective key vault section.

After selecting the key and choosing the key , Disk encryption set deployment created successfully. however it is failing while integrating this data encryption set with data disk in the Virtual machine. Please see below errors and Please suggest and thank you.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-01-04T23:23:29.783+00:00
@sns
Thank you for the quick follow up on this and I apologize for the delayed response!

Key is fetching but not secret even though secret is there in the respective key vault section.

After testing this out, you'll only be able to select a Key or Certificate when deploying your Disk Encryption Set and leveraging SSE+CMK.

After selecting the key, disk encryption set deployment created successfully. However, it is failing while integrating this data encryption set with data disk in the Virtual machine.

Error Message: Failed to update disk.... Please grant get, wrap and unwrap key permissions to disk encryption set... Please visit https://aka.ms/keyvaultaccessssecmk for more information.

From the error message, you'll need to assign your disk encryption set get, wrap and unwrap key permissions. To do this, navigate to your disk encryption set once it's deployed, and select the displayed alert. For more info - Set up your disk encryption set.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-01-06T17:25:00.477+00:00

@sns
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Not able to fetch key when creating disk encryption set

0 additional answers

Your answer