Azure Powershell Add-AzureKeyVaultManagedStorageAccount failing

2
votes

I am unable to perform the Azure Powershell command Add-AzureKeyVaultManagedStorageAccount, even though I am executing it under the subscription owner profile. I successfully create keyvault, storage account, and storage account key in the following manner:

$KeyVault = New-AzureRmKeyVault `
   -VaultName "<redacted>"  `
   -ResourceGroupName $ResourceGroup.ResourceGroupName `
   -Location $Location `
   -EnabledForDiskEncryption `
   -EnabledForDeployment `
   -Tag $Tags

$StorageAccount = New-AzureRmStorageAccount `
   -ResourceGroupName $ResourceGroup.ResourceGroupName `
   -Name "<redacted>"  `
   -SkuName Standard_LRS `
   -Location $Location `
   -Kind "Storage" `
   -EnableEncryptionService "Blob,File" `
   -Tag $Tags `
   -AssignIdentity

$StorageAccountKey = New-AzureRmStorageAccountKey `
   -ResourceGroupName $ResourceGroup.ResourceGroupName `
   -Name $StorageAccount.StorageAccountName `
   -KeyName "key1"

but trying to manage the storage account key in my key vault fails

$KeyVaultManagedStorageAccount = Add-AzureKeyVaultManagedStorageAccount `
   -VaultName $KeyVault.VaultName `
   -AccountName $StorageAccount.StorageAccountName `
   -AccountResourceId $StorageAccount.Id `
   -ActiveKeyName "key1" `
   -Tag $Tags

This is the error. As I mentioned, I am executing under the subscription owner profile, so how can it not have authorization? Secondly, the "same redacted object Id" identified below does not correspond to any object in my subscription that I can find. I first experienced this problem with Azure Powershell 4.2.1, and have since upgraded to 4.3.0 and still have the problem.

Add-AzureKeyVaultManagedStorageAccount : The client '<same redacted object Id>' with object id '<same redacted object Id>' does not have authorization to perform action
'Microsoft.Authorization/permissions/read' over scope
'/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>/providers/Microsoft.Authorization'.
At E:\BitSync\Scripts\Azure\Create-Environment.ps1:129 char:34
+ ... VaultManagedStorageAccount = Add-AzureKeyVaultManagedStorageAccount `
+                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Add-AzureKeyVaultManagedStorageAccount], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultManagedStorageAccount

BTW, there does not appear to be any way to manage Storage Account keys through Key Vault in the portal other than cut and paste.

1
powershellazure

1 Answers

6
votes

According to your error message, it is a RBAC issue, the service principal you are using does not have rights within that tenant.

Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.

We can assign RBAC roles at the resource scope via Azure portal, more information about assign RBAC, please refer to this link.

Note:
Key vault needs permissions to list and regenerate keys for a storage account.we can use the following steps to do it:

Get ObjectId of your account:

Get-AzureRmADServicePrincipal -SearchString "Azure Key Vault"

Assign Storage Key Operator role to Azure Key Vault Identity:

New-AzureRmRoleAssignment -ObjectId <objectId of AzureKeyVault from previous command> -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope '<azure resource id of storage account>'

More information about setup for role-based access control permissions, please refer to this article.

Update:

Also, we should set Azure key vault access policy permissions to storage.

Set-AzureRmKeyVaultAccessPolicy -VaultName 'jasonkey01' -ResourceGroupName 'jasontest' -ObjectId '556ca95d-2f50-4acd-b98e-a111b5b41b66' -PermissionsToStorage 'all'

Here is the screenshot about my keyvault:

enter image description here

In this way, we can use your script to add key vault for storage account.

enter image description here Update2:
I have reproduce this error, the root cause is that we can't grant permission to service principal Azure Key Vault.

We can use this command to find object id, same as your error message.

Get-AzureRmADServicePrincipal -SearchString "Azure Key Vault"

Then we grant permission to this service principal, use this script:

New-AzureRmRoleAssignment -ObjectId '2f6d671f-6c8d-4104-812a-390c5648aed0' -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope '/subscriptions/53847abb-xxxx-xxxx-xxxx-xxxxe29axxxx/resou
rceGroups/jasonkey/providers/Microsoft.Storage/storageAccounts/jasondisk321'

Here is my result:

enter image description here

Update3:
After run Add-AzureKeyVaultManagedStorageAccount, we should run this command to get secret URI:

Set-AzureKeyVaultManagedStorageSasDefinition -Service Blob -ResourceType Container,Service -VaultName yourKV  
-AccountName msak01 -Name blobsas1 -Protocol HttpsOnly -ValidityPeriod ([System.Timespan]::FromDays(1)) -Permission Read,List

Here is the result: enter image description here

enter image description here

More information about get the secret URI, please refer to this article.