azure-cli: az storage account update generates an error : "Keyvault policy recoverable is not set"

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug When you run az storage account update to enable CMK encryption an error occurs: “Keyvault policy recoverable is not set”

The same operation works fine in GUI. After a successful run in GUI and reverting this configuration back to “encryption type:MMS” , the cli command starts to work as expected.

To Reproduce Steps to reproduce the behavior.

rg_name=satest06
keyvault_name=satest02kv6
region=eastus2
key_name=key06
sa_name=satest02sa6

az keyvault create --name $keyvault_name  --resource-group $rg_name --location $region --sku standard --enable-soft-delete false 
az storage account create --name $sa_name  --resource-group $rg_name --assign-identity
az keyvault key create --name $key_name --vault-name $keyvault_name --kty RSA --ops encrypt decrypt wrapKey unwrapKey sign verify --size 2048

spn=$(az storage account show --name $sa_name  --resource-group $rg_name --query identity.principalId | tr -d '"')
az keyvault set-policy --name $keyvault_name  --resource-group $rg_name --object-id $spn --key-permissions get unwrapkey wrapkey

key_vault_uri=$(az keyvault show --name $keyvault_name  --resource-group $rg_name --query properties.vaultUri --output tsv)
key_version=$(az keyvault key list-versions --name $key_name --vault-name $keyvault_name --query [].kid --output tsv | cut -d '/' -f 6)

az storage account update --name $sa_name \
--resource-group $rg_name \
--encryption-key-name $key_name \
--encryption-key-version $key_version \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault $key_vault_uri

Expected behavior expected behavior is an enabled CMK encryption.

“encryption”: { “keySource”: “Microsoft.Keyvault”, “keyVaultProperties”: { “currentVersionedKeyIdentifier”: “https://XXXXXX.vault.azure.net/keys/key05/795196cb3fdc434c951d0a5520429ce4”, “keyName”: “key05”, “keyVaultUri”: “https://XXXXXXX.vault.azure.net/”, “keyVersion”: “795196cb3fdc434c951d0a5520429ce4”, “lastKeyRotationTimestamp”: “2020-02-25T13:10:19.3276684Z”

Environment summary Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (az --version) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)

OS version: CentOS Linux release 7.7.1908 (Core) Az cli version: 2.1.0 Shell type: bash

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 21 (7 by maintainers)

Most upvoted comments

Sorry for late response. Have you enabled purge protection for keyvault? If not, please use the following command to enable them:

az keyvault create -n {vault} -g {rg} --enable-purge-protection