This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 31%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I am trying to create a storage account with CMK and using a user-assigned managed identity. The Terraform script I am using looks correct but running it throws this error and not sure why. The error message is not clear. I uploaded my tf file here for debugging.
If we assigned both "UserAssigned" and "SystemAssigned" as identities to a storage account which one is used for performing the encryption. What is the user for having both types of identities assigned to a storage account encryption?
If we assign a "UserAssigned" Identity, then this identity should have access to get/wrap/unwrap the encryption key from the vault (thru vault policies). Is this enough for this use case. Is there any additional permission given to the storage account?
@Jeeva
Thank you for your post!
.txt, I saw some Network ACLS - when creating your Key Vault are you creating Networking rules? .txt, it seems like everything is creating successfully until you get to the creation of CMK. Have you tried manually enabling CMK within the Portal to see if it works with the currently deployed resources? Additional Links:
Azure Key Vault REST API Error Codes
Common error codes for Azure Key Vault
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Could you clarify the significance of having both UserAssigned and SystemAssigend identities for the Storage accounts for CME Key?
I can see it assigns two identities to the storage account but not sure which one is used to retrieving the encryption key from Key Vault?
@Jeeva
Thank you for following up on this and I apologize for the delayed response!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@Jeeva
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 5%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
I have the same issue, the only difference is I am using a system-assigned identity and on the key vault, access is through RBAC. The key vault key officer role is granted to system-managed identity, which is verified too.
It is not yet solved.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 47%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
I'm having same issue, as there been any movement on this?