How to set up customer managed keys for the automation account when keyvault has enabled firewall?

Question

Hello,

I have the following problem:

Having an azure key vault with key. Created an automation account with system assigned managed identity, and assigned permissions to the key.

The keyvault has firewall enabled (traffic allowed only from private endpoints and my computer's ip address).

Now trying to enable automation account customer managed key encryption. The problem is, the procedure lasts very long then fails.

I have used a simple arm template to enable encryption on the account named "testacc" like this: (note in this and all other examples I've removed all sensitive info including most names/resource ids).

``json

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "functions": [],
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Automation/automationAccounts",
            "apiVersion": "2022-08-08",
            "name": "testacc",
            "location": "westeurope",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "sku": {
                    "name": "Basic"
                },
                "publicNetworkAccess": false,
                                "encryption": {
                    "keySource": "Microsoft.Keyvault",
                    "keyVaultProperties": {
                        "keyvaultUri": vaulturi/",
                        "keyName": keynameg",
                        "keyVersion": someversion7"
                    }
                }
            }
        }
    ],
    "outputs": {}
}

``

The deployment fails with the following message: (this is a small fragment/error message in activity log, as doing arm deployment is just stuck in retry loop until cancelled).

``

        "statusMessage": "{\"code\":\"Forbidden\",\"message\":\"Automation account received a 'forbidden' response from the key vault <vaulturi/' while accessing key <keynameg'. Possible reason(s) for forbidden response could be disabling wrap/unwrap operation on the key, removing wrap/unwrap permission from managed identity of the automation account or key is expired. For more details see aka.ms/AACMKTroubleshooting\"}",

``

Also, i have enabled keyvault audit logs which show the following messages : (lots of them because of retries both from automation and arm side)

``

Client address is not authorized and caller is not a trusted service.
Client address: 20.229.252.180
Caller: appid=<app_id>;oid=<object_id>;iss=<issuer>;xms_mirid=<automation_resource_id>;xms_az_rid=<automation_resource_id>
Vault: <vaultname>;location=westeurope

``

Answer 1

Hello @Zegan, Michał

Usually error "Client address is not authorized and caller is not a trusted service." means that you need to add Azure Automation Account Managed identity to KeyVault Access policies.

By default the Run As Account can only see the Azure Key Vault, but it can't read its content. In step 3 you retrieved the name of the Azure Run As Account. Now we will give it access to read the secrets.

• Go to Access policies in the left menu
• Click Create
• Choose required permissions
• Choose Managed Identity of Azure Aumation Account and in the search field enter the name
• Select Add and Save

https://microsoft-bitools.blogspot.com/2019/12/use-azure-key-vault-for-automation.html

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad#grant-access