azure-cli: az vm encryption enable- doesn't allow for different key vault resource group
Description
Outline the issue here: az vm encryption enable cmd does not allow specifying a different resource group for the key vault from the resource group the VM resides in. Az CLI 1.0 did allow for this. I can perform disk encryption via PowerShell though on the same VM and with the same Key Vault.
Environment summary
Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here: used CloudShell
CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here: az --version 2.0
OS Version: What OS and version are you using?
Answer here: Windows 10 15063.540
Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here: Cloud Shell in Azure portal
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 20 (8 by maintainers)
I don’t see that a solution was provided here so I thought I’d post one:
In Azure CLI, when a Key Vault exists in a separate resource group, if you use the full Resource ID property of the Key Vault, instead of just the Key Vault name, it will work:
az vm encryption enable -g MyResourceGroupName --name MyVMName --disk-encryption-keyvault /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyResourceGroupName/providers/Microsoft.KeyVault/vaults/MyKeyVaultName
@tjprescott I provided the resourceID in this format: /subscriptions/3fd58db1-6100-4fa1-b575-5856e3364898/resourceGroups/s00140nrgpkvt00001/providers/Microsoft.KeyVault/vaults/s00140cnkvt00001
I provided a value of TestRG for the VM resource group, and I received this error message: key Vault https://s00140cnkvt00001.vault.azure.net/secrets/7CFFFBA6-5ACA-41E5-9FAE-72E9CD7629F6/876d366d2a8446e696c2b58847c26ce7 either has not been enabled for Volume Encryption or the vault id provided does not match /subscriptions/3fd58db1-6100-4fa1-b575-5856e3364898/resourceGroups/TestRG/providers/Microsoft.KeyVault/vaults/s00140cnkvt00001’s true resource id.
So even though the resourceID indicates belonging to a different resource group, it is still attempting to find the key vault in the TestRG resource group, which makes it sound like there’s a bug.