Getting "Caller needs data action" while enabling Azure Disk Encryption on Windows VM.

asked 2021-09-29T11:24:53.267+00:00
Amjad Nagori 271 Reputation points

Hello All,

I am getting below error while trying to enable Azure Disk Encryption for my VM. I tried with recreating VM and Key Vault both but still getting same issue.

I do have full rights in Key Vault access policy and its also enabled for Azure VM Encryption, still getting this error.

136264-image.png

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
655 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
4,558 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
106 questions
{count} votes

Accepted answer
  1. answered 2021-09-30T00:42:42.05+00:00
    KarishmaTiwari-MSFT 10,701 Reputation points Microsoft Employee

    Can you please confirm that you have been assigned the role as "Owner" for the subscription you are using?

    We have seen this issue occur when the user have 'Service Administrator' role instead of 'Owner' role. Unfortunately Service Administrator role role does not support changing permission model as mentioned in the below document:
    https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    Let me know and if this is not the reason, I can further investigate. Thanks.


4 additional answers

Sort by: Most helpful
  1. answered 2021-09-30T00:25:22.163+00:00
    TravisCragg-MSFT 5,626 Reputation points Microsoft Employee

    This error is most likely an issue with your permissions as stated. Key Vault permissions are strange, as there are roles that will allow you to create and delete Key Vaults, but not access the keys inside of them.

    The error you are getting is on listing the keys inside of a Key Vault, so it sounds like this is the case. Try adding yourself tp the roles of "Key Vault Reader" and "Key Vault Administrator" to your Key Vault and try this again.

    If that does not work, the next step will be to work with support.

    No comments

  2. answered 2021-10-14T14:28:19.977+00:00
    Valentine Masina 1 Reputation point

    Thanks to karishmatiwari for the heass up. Please pass these to the Azure design team. Why are we by default only service administrators on the keyvault service? Owner role by default makes senses because all keyvault permissions are needed by the one who creates the service especially if you are the account owner.

    No comments

  3. answered 2022-02-01T20:56:55.487+00:00
    Craig 1 Reputation point

    I also was only Service Administrator but not Owner. Error went away after making myself Owner and I was able to finish the encrypt (enabling Azure Disk Encryption).

    Here is the error text in case others like me search for it and didn't find it because the text from this error can't be copied off the portal for some reason -

    Caller needs data action: 'Microsoft.KeyVault/vaults/keys/read' to perform action on resource: /subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.KeyVault/vaults/VAULTNAME. For more information, please see: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

    No comments

  4. answered 2022-02-03T05:08:57.907+00:00
    Ajeet Mishra 1 Reputation point

    I was facing same issue and having only Service Administrator but not Owner. Error went away after making myself as Owner and I was able to finish the encrypt (enabling Azure Disk Encryption).

    No comments