Unable to create automation account with customer-managed key

Question

Hi,

I am trying to deploy an automation account with a customer-managed key via Bicep but it keeps resulting in an Internal Server Error (HTTP Status Code: 500). I am using the bicep https://learn.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts?pivots=deployment-language-bicep

I have 2 key vaults setup:

• One key vault configured with access policies: I configured a user assigned identity with all key permissions and the system assigned identity of the automation account with all key permissions. Both are failing.
• One key vault with RBAC enabled. I assigned the role Key Vault Crypto Service Encryption User to the user assigned identitiy which is failing as well with the same error.

Are there any working examples with bicep for deployment of an automation account with customer managed key? I have set this up for storage account without any issues.

Moreover I also don't see an encryption menu option to setup CMK for an automation account via the Azure Portal.

Thanks in advance!

Answer 1

Hi neok-g,

Thanks for reaching out to Microsoft Q&A.

Ensure both keyvaults and bicep templates are correctly configured and accessible. Also, the role assignment for the user assigned identity should grant the “Key Vault Crypto Service Encryption User” role. Ensure that the role assignment is correctly set up.

Internal Server Error (HTTP Status Code: 500).

This error often indicates a server-side issue. If the feature is not supported, it might trigger this error.

Are there any working examples with bicep for deployment of an automation account with customer managed key?

bicep template for deploying an Azure Automation Account without cmk

resource automationAccount 'Microsoft.Automation/automationAccounts@xxxx' = {
  name: 'myAutomationAccount'
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'Basic'
    }
  }
}

output automationAccountName string = automationAccount.name
resource automationAccount 'Microsoft.Automation/automationAccounts@2020-01-13-preview' = {
  name: 'myAutomationAccount'
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'Basic'
    }
  }
}
output automationAccountName string = automationAccount.name

Moreover I also don't see an encryption menu option to setup CMK for an automation account via the Azure Portal.

As of now, there isn’t a direct encryption menu option for setting up CMK for an automation account via the Azure Portal.

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

Answer 2

Thanks for your answer.

I am now a step further although I am getting a BadGateway error see below.

This is probably caused by the keyvault that stores the CMK which has public access disabled because of company policy.

Our key vault configuration:

• Private endpoint (approved)
• Private DNS zone privatelink.vaultcore.azure.net with A-record for keyvault private IP address
• Private DNS zone has a virtual network link to the vnet

If I enable the option "Allow public access from all networks" on the key vault (which is not what I want) it works. So based on that it does not seem a permission/ RBAC issue but more a network related issue.

As far as I know this should be a supported scenario?

Automation account received a 'forbidden' response from the key vault '' while accessing key ''. Possible reason(s) for forbidden response could be disabling wrap/unwrap operation on the key, removing wrap/unwrap permission from managed identity of the automation account or key is expired. For more details see aka.ms/AACMKTroubleshooting"