azure-cli: az storage account update generates an error : "Keyvault policy recoverable is not set"
az feedback
auto-generates most of the information requested below, as of CLI version 2.0.62
Describe the bug When you run az storage account update to enable CMK encryption an error occurs: “Keyvault policy recoverable is not set”
The same operation works fine in GUI. After a successful run in GUI and reverting this configuration back to “encryption type:MMS” , the cli command starts to work as expected.
To Reproduce Steps to reproduce the behavior.
rg_name=satest06
keyvault_name=satest02kv6
region=eastus2
key_name=key06
sa_name=satest02sa6
az keyvault create --name $keyvault_name --resource-group $rg_name --location $region --sku standard --enable-soft-delete false
az storage account create --name $sa_name --resource-group $rg_name --assign-identity
az keyvault key create --name $key_name --vault-name $keyvault_name --kty RSA --ops encrypt decrypt wrapKey unwrapKey sign verify --size 2048
spn=$(az storage account show --name $sa_name --resource-group $rg_name --query identity.principalId | tr -d '"')
az keyvault set-policy --name $keyvault_name --resource-group $rg_name --object-id $spn --key-permissions get unwrapkey wrapkey
key_vault_uri=$(az keyvault show --name $keyvault_name --resource-group $rg_name --query properties.vaultUri --output tsv)
key_version=$(az keyvault key list-versions --name $key_name --vault-name $keyvault_name --query [].kid --output tsv | cut -d '/' -f 6)
az storage account update --name $sa_name \
--resource-group $rg_name \
--encryption-key-name $key_name \
--encryption-key-version $key_version \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault $key_vault_uri
Expected behavior expected behavior is an enabled CMK encryption.
“encryption”: { “keySource”: “Microsoft.Keyvault”, “keyVaultProperties”: { “currentVersionedKeyIdentifier”: “https://XXXXXX.vault.azure.net/keys/key05/795196cb3fdc434c951d0a5520429ce4”, “keyName”: “key05”, “keyVaultUri”: “https://XXXXXXX.vault.azure.net/”, “keyVersion”: “795196cb3fdc434c951d0a5520429ce4”, “lastKeyRotationTimestamp”: “2020-02-25T13:10:19.3276684Z”
Environment summary
Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (az --version
) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)
OS version: CentOS Linux release 7.7.1908 (Core) Az cli version: 2.1.0 Shell type: bash
Additional context Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21 (7 by maintainers)
Sorry for late response. Have you enabled purge protection for keyvault? If not, please use the following command to enable them: