ARM Deployment of Synapse Analytics with CMK

Christopher Mühl 106 Reputation points
2022-02-09T21:01:49.5+00:00

Hello community,

I would like to deploy an Azure Synapse Analytics Workspace using an ARM template with a Custom Managed Key.
For this I am using the latest ARM template version 2021-06-01.
https://learn.microsoft.com/en-us/azure/templates/microsoft.synapse/workspaces

Previously I have already created a KeyVault via another ARM template, deployed a key in it and have authorized a UserAssignedIdentity on the KeyVault.

Now I want to use this UserAssignedIdentity in the Synapse ARM template to retrieve the CMK from the KeyVault.

Currently my template is failing because the ManagedIdentity of the workspace and not the UserAssignedIdentity is trying to access the KeyVault.
"code": "CustomerManagedKeyPermissionMissing",
"message": "Could not perform a 'Get' operation on the workspace encryption key. Make sure that the workspace Managed Identity has 'Get', 'WrapKey' and 'UnwrapKey' access to the KeyVault through the KeyVault's Access Policies or through RBAC."

Besides the fact that I don't know how to authorize the SystemAssignedIdentity on the KeyVault when the SystemAssignedIdentity or the Workspace doesn't even exist yet, I actually just want to tell the template "Please use the UserAssignedIdentity and not the SystemAssignedIdentity".

For this I found the property "useSystemAssignedIdentity". (https://learn.microsoft.com/en-us/azure/templates/microsoft.synapse/workspaces?tabs=json#kekidentityproperties)
The property requires an object, however I expect a boolean value to be specified here and unfortunately I haven't found an example anywhere.

How must the property "useSystemAssignedIdentity" be filled, so that the UserAssignedIdentity is used for the access?

Attached is a screenshot of my current ARM template.

Thanks in advance!
Christopher

172714-2022-02-09-21-58-24.png

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,395 questions
0 comments
Accepted answer
  1. KranthiPakala-MSFT 46,422 Reputation points Microsoft Employee
    2022-02-11T07:50:13.407+00:00

    Hello @Christopher Mühl ,

    Thanks for the question and using MS Q&A platform.

    My understanding is that you are trying to create a synapse workspace using ARM template using UserAssingedIdentity and you are receiving above error. Please correct if I'm not accurate.

    From the above error message, it complains that your UserAssignedIdentity (I know errror says Managed Identity, which means User Assigned Managed Identity with regards to your scenario) doesn't have the Get permission on the AzureKeyVault. I see you already stated that UserAssignedIdentity has already been authorized for the keyvalut, but could you please re-confirm if the below access policies/permissions are granted to it?

    • Get (to read the public part of a key)
    • WrapKey (to insert a key into Key Vault when creating a new key).
    • UnwrapKey (to get the key for decryption).

    For more info, please refer to this doc: Using a User-assigned Managed identity

    Also, could you please confirm if your Azure Key Vault is behind a firewall? The reason I would like to validate this is because a User-assigned Managed Identity cannot be configured to access customer-managed key when Azure Key Vault is behind a firewall.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest