ARM tempelate Storage account deployment Error: KeyVaultNotColocated

Pranay 291 Reputation points
2021-07-24T10:41:39.847+00:00

HI ,

I am deploying a Storage Account and then updating it to use Userdefined encryption. Unfortunately it throws an error:
{
"error": {
"code": "KeyVaultNotColocated",
"message": "The operation failed because keyvault is not colocated with storage account."
}

Its saying both keyVault and Storage account must be in same location. Although when i do it manually it works. Any suggestion's how to solve this issue??

below is the code:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "globalConfig": {
      "type": "object",
      "metadata": {
        "description": "Object that contains the following properties: hyphenBasedPrefix, hyphenBasedPrefixWithoutDash, baseTemplateUrl, sasToken"
      }
    },
    "name": {
      "type": "string",
      "metadata": {
        "descritpion": "Name of the storage account following naming conventions"
      }
    },
    "isBlobSoftDeleteEnabled": {
      "defaultValue": true,
      "type": "bool"
    },
    "blobSoftDeleteRetentionDays": {
      "defaultValue": 6,
      "type": "int"
    },
    "containerRestorePeriodDays": {
      "defaultValue": 5,
      "type": "int"
    },
    "changeFeed": {
      "defaultValue": true,
      "type": "bool"
    },
    "isContainerRestoreEnabled": {
      "defaultValue": true,
      "type": "bool"
    },
    "skuName": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_RAGRS",
        "Standard_ZRS",
        "Premium_LRS"
      ],
      "metadata": {
        "description": "sku name of the storage, like e.g. Standard_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_LRS"
      }
    },
    "storageKind": {
      "type": "string",
      "defaultValue": "BlobStorage",
      "allowedValues": [
        "Storage",
        "StorageV2",
        "BlobStorage"
      ],
      "metadata": {
        "description": "defines storage type, like e.g. blob or standard storage"
      }
    },
    "accessTier": {
      "type": "string",
      "defaultValue": "Hot",
      "allowedValues": [
        "Hot",
        "Cool"
      ],
      "metadata": {
        "description": "Defines acceess tier of storage, possible values are Hot (blob storage), Cold (blob storage)."
      }
    },
    "supportsHttpsTrafficOnly": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Allows https traffic only to storage service if sets to true."
      }
    },
    "tags": {
      "type": "object",
      "defaultValue": {},
      "metadata": {
        "description": "The tags which are supposed to be assigned to this resource."
      }
    },
    "rsgAdd": {
      "type": "string",
      "defaultValue": {},
      "metadata": {
        "description": "The addition for resource group."
      }
    },
    "enableSoftDelete": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Whether SoftDelete should be enabled or not."
      }
    },
    "loopOutputs": {
      "type": "array",
      "metadata": {
        "description": "Parameter that is used to "
      }
    },
    "minimumTlsVersion": {
      "defaultValue": "TLS1_2",
      "type": "string"
    }
  },
  "variables": {
    "resourceTypeIdentifier": "",
    "resourceFullName": "[concat(parameters('globalConfig').basicPrefix, variables('resourceTypeIdentifier'), parameters('name'))]",

    "kvtName": "[concat(parameters('globalConfig').hyphenBasedPrefix, '-', 'kvt')]",
    "encryption": {
      "services": {
        "file": {
          "enabled": true
          },
        "blob": {
          "enabled": true
          }
        },
        "keySource": "Microsoft.Keyvault",
        "keyvaultproperties": {
          "keyvaulturi": "[concat('https://',variables('vaultName'),'.vault.azure.net')]",
          "keyname": "API-KEY"
          }
        },

    "apiVersion": "2021-02-01",

    "encryptionJson": "[if(empty(parameters('rsgAdd')),'',union(variables('encryption'),union(variables('encryption').services.file,variables('encryption').services.blob)))]",
    "vaultName": "[if(empty(parameters('rsgAdd')),variables('kvtName'),concat(variables('kvtName'),'-',parameters('rsgAdd')))]"
  },
  "resources": [
    {
            "type": "Microsoft.Storage/storageAccounts",
            "sku": {
              "name": "[parameters('skuName')]",
              "tier": "[first(split(parameters('skuName'), '_'))]"
            },
            "kind": "[parameters('storageKind')]",
            "name": "[variables('resourceFullName')]",
            "apiVersion": "2019-06-01",
            //"location": "[resourceGroup().location]",
            "location": "[if(empty(parameters('rsgAdd')),resourceGroup().location,'westus')]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "supportsHttpsTrafficOnly": true
            },
            "tags": "[union(parameters('globalConfig').tags, parameters('tags'))]"
        }, 
        {

            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2019-07-01",
            "name": "updateStorageAccount",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', variables('resourceFullName'))]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "0.1.0.0",
                    "resources": [{
                            "type": "Microsoft.KeyVault/vaults/accessPolicies",
                            "name": "[concat(variables('vaultName'), '/add')]",
                            "apiVersion": "2019-09-01",
                            "properties": {
                                "accessPolicies": [{
                                        "tenantId": "[subscription().tenantid]",
                                        "objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts',  variables('resourceFullName')),'2019-06-01', 'full').identity.principalId]",
                                        "permissions": {
                                            "keys": [
                                                "wrapkey",
                                                "unwrapkey",
                                                "sign",
                                                "get",
                                                "list"
                                            ],
                                            "secrets": [],
                                            "certificates": []
                                        }
                                    }
                                ]
                            }
                        }, {
                            "type": "Microsoft.Storage/storageAccounts",
                            "sku": {
                              "name": "[parameters('skuName')]",
                              "tier": "[first(split(parameters('skuName'), '_'))]"
                            },
                            "kind": "[parameters('storageKind')]",
                            "name": "[variables('resourceFullName')]",
                            "apiVersion": "2019-06-01",
                            //"location": "[resourceGroup().location]",
                            "location": "[if(empty(parameters('rsgAdd')),resourceGroup().location,'westus')]",
                            "identity": {
                                "type": "SystemAssigned"
                            },
                            "properties": {
                                "encryption": {
                                  "services": {
                                    "file": {
                                      "enabled": true
                                      },
                                    "blob": {
                                      "enabled": true
                                      }
                                    },
                                    "keySource": "Microsoft.Keyvault",
                                    "keyvaultproperties": {
                                      "keyvaulturi": "[concat('https://',variables('vaultName'),'.vault.azure.net')]",
                                      "keyname": "[if(empty(parameters('rsgAdd')),'API-KEY','Sys-API-KEY')]"

                                      }
                                    }
                            },
                            "dependsOn": [

                                "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', variables('vaultName'), 'add')]"
                            ]
                        }
                    ]
                }
            }
        }
    ],
    "outputs": {
    "deployedObject": {
      "value": "[reference(variables('resourceFullName'), variables('apiVersion'), 'Full')]",
      "type": "object"
    },
    "name": {
      "value": "[variables('resourceFullName')]",
      "type": "string"
    },
    "loopOutputs": {
      "type": "array",
      "value": "[concat(parameters('loopOutputs'), array(json(concat('{\"name\": \"', variables('resourceFullName'), '\", \"deployedObject\": ', string(reference(variables('resourceFullName'), variables('apiVersion'), 'Full')), '}'))))]"
    }
  }
}

Thanks

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,327 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Luis Arias 7,846 Reputation points
    2024-01-05T17:43:29.36+00:00

    Hi Pranay ,

    I update your code to test in my own environment, I updated some part that wasn't required for my test, and now it's working perfecly fine you can verify it, only update your storage account Name and the Keyvault name:

    {
        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
            "globalConfig": {
                "type": "object",
                "metadata": {
                    "description": "Object that contains the following properties: hyphenBasedPrefix, hyphenBasedPrefixWithoutDash, baseTemplateUrl, sasToken"
                },
                "defaultValue": {
                    "hyphenBasedPrefix": "smokeprefix",
                    "basicPrefix": "sp",
                    "tags": {}
                }
            },
            "name": {
                "type": "string",
                "metadata": {
                    "descritpion": "Name of the storage account following naming conventions"
                },
                "defaultValue": "yourNewStorageName"
            },
            "skuName": {
                "type": "string",
                "defaultValue": "Standard_LRS",
                "allowedValues": [
                    "Standard_LRS",
                    "Standard_GRS",
                    "Standard_RAGRS",
                    "Standard_ZRS",
                    "Premium_LRS"
                ],
                "metadata": {
                    "description": "sku name of the storage, like e.g. Standard_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_LRS"
                }
            },
            "storageKind": {
                "type": "string",
                "defaultValue": "BlobStorage",
                "allowedValues": [
                    "Storage",
                    "StorageV2",
                    "BlobStorage"
                ],
                "metadata": {
                    "description": "defines storage type, like e.g. blob or standard storage"
                }
            },
            "tags": {
                "type": "object",
                "defaultValue": {},
                "metadata": {
                    "description": "The tags which are supposed to be assigned to this resource."
                }
            },
            "rsgAdd": {
                "type": "string",
                "defaultValue": "",
                "metadata": {
                    "description": "The addition for resource group."
                }
            }
        },
        "variables": {
            "resourceTypeIdentifier": "",
            "resourceFullName": "[concat(parameters('globalConfig').basicPrefix, variables('resourceTypeIdentifier'), parameters('name'))]",
            "apiVersion": "2021-02-01",
            "vaultName": "yourKeyVaultName"
        },
        "resources": [
            {
                "type": "Microsoft.Storage/storageAccounts",
                "sku": {
                    "name": "[parameters('skuName')]",
                    "tier": "[first(split(parameters('skuName'), '_'))]"
                },
                "kind": "[parameters('storageKind')]",
                "name": "[variables('resourceFullName')]",
                "apiVersion": "2019-06-01",
                "location": "[resourceGroup().location]",
                "identity": {
                    "type": "SystemAssigned"
                },
                "properties": {
                    "supportsHttpsTrafficOnly": true,
                    "accessTier": "Hot"
                },
                "tags": "[union(parameters('globalConfig').tags, parameters('tags'))]"
            }
            ,
            {
    
                "type": "Microsoft.Resources/deployments",
                "apiVersion": "2019-07-01",
                "name": "updateStorageAccount",
                "dependsOn": [
                    "[resourceId('Microsoft.Storage/storageAccounts', variables('resourceFullName'))]"
                ],
                "properties": {
                    "mode": "Incremental",
                    "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "0.1.0.0",
                        "resources": [
                            {
                                "type": "Microsoft.KeyVault/vaults/accessPolicies",
                                "name": "[concat(variables('vaultName'), '/add')]",
                                "apiVersion": "2019-09-01",
                                "properties": {
                                    "accessPolicies": [
                                        {
                                            "tenantId": "[subscription().tenantid]",
                                            "objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts',  variables('resourceFullName')),'2019-06-01', 'full').identity.principalId]",
                                            "permissions": {
                                                "keys": [
                                                    "wrapkey",
                                                    "unwrapkey",
                                                    "sign",
                                                    "get",
                                                    "list",
                                                    "recover"
                                                ],
                                                "secrets": [
                                                ],
                                                "certificates": []
                                            }
                                        }
                                    ]
                                }
                            },
                            {
                                "type": "Microsoft.Storage/storageAccounts",
                                "sku": {
                                    "name": "[parameters('skuName')]",
                                    "tier": "[first(split(parameters('skuName'), '_'))]"
                                },
                                "kind": "[parameters('storageKind')]",
                                "name": "[variables('resourceFullName')]",
                                "apiVersion": "2019-06-01",
                                "location": "[if(empty(parameters('rsgAdd')),resourceGroup().location,'westus')]",
                                "identity": {
                                    "type": "SystemAssigned"
                                },
                                "properties": {
                                    "encryption": {
                                        "services": {
                                            "file": {
                                                "enabled": true
                                            },
                                            "blob": {
                                                "enabled": true
                                            }
                                        },
                                        "keySource": "Microsoft.Keyvault",
                                        "keyvaultproperties": {
                                            "keyvaulturi": "[concat('https://',variables('vaultName'),'.vault.azure.net')]",
                                            "keyname": "[if(empty(parameters('rsgAdd')),'API-KEY','Sys-API-KEY')]"
    
                                        }
                                    }
                                },
                                "dependsOn": [
    
                                    "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', variables('vaultName'), 'add')]"
                                ]
                            }
                        ]
                    }
                }
            }
        ],
        "outputs": {
            "deployedObject": {
                "value": "[reference(variables('resourceFullName'), variables('apiVersion'), 'Full')]",
                "type": "object"
            },
            "name": {
                "value": "[variables('resourceFullName')]",
                "type": "string"
            }
        }
    }
    

    Take in consideration some prerequisites like enable purge protection on you Key vault (https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal)

    User's image

    Let me know if you have any problem deploying this arm template or any additional doubt.

    Luis

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.