Hello,
I have the following problem:
Having an azure key vault with key. Created an automation account with system assigned managed identity, and assigned permissions to the key.
The keyvault has firewall enabled (traffic allowed only from private endpoints and my computer's ip address).
Now trying to enable automation account customer managed key encryption. The problem is, the procedure lasts very long then fails.
I have used a simple arm template to enable encryption on the account named "testacc" like this: (note in this and all other examples I've removed all sensitive info including most names/resource ids).
``json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"functions": [],
"variables": {},
"resources": [
{
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2022-08-08",
"name": "testacc",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"sku": {
"name": "Basic"
},
"publicNetworkAccess": false,
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyVaultProperties": {
"keyvaultUri": vaulturi/",
"keyName": keynameg",
"keyVersion": someversion7"
}
}
}
}
],
"outputs": {}
}
``
The deployment fails with the following message: (this is a small fragment/error message in activity log, as doing arm deployment is just stuck in retry loop until cancelled).
``
"statusMessage": "{\"code\":\"Forbidden\",\"message\":\"Automation account received a 'forbidden' response from the key vault <vaulturi/' while accessing key <keynameg'. Possible reason(s) for forbidden response could be disabling wrap/unwrap operation on the key, removing wrap/unwrap permission from managed identity of the automation account or key is expired. For more details see aka.ms/AACMKTroubleshooting\"}",
``
Also, i have enabled keyvault audit logs which show the following messages : (lots of them because of retries both from automation and arm side)
``
Client address is not authorized and caller is not a trusted service.
Client address: 20.229.252.180
Caller: appid=<app_id>;oid=<object_id>;iss=<issuer>;xms_mirid=<automation_resource_id>;xms_az_rid=<automation_resource_id>
Vault: <vaultname>;location=westeurope
``