1
votes

We're trying to create an ARM template which will allow us to specify our own encryption key. I have the script below, this encrypts the storage account, however this doesn't allow us to add our own key.

Is there a way to add it programatically, I know it can be done using the portal.

The script I have is

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageNamePrefix": {
      "type": "string",
      "metadata": {
        "description": "The prefix string to add to a generated name."
      }
    },
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_RAGRS",
        "Standard_ZRS",
        "Premium_LRS"
      ],
      "metadata": {
        "description": "Storage Account type."
      }
    },
    "blobEncryptionEnabled": {
      "type": "bool",
      "defaultValue": true,
      "allowedValues": [
        true,
        false
      ],
      "metadata": {
        "description": "Enable or disable Blob encryption."
      }
    }
  },
  "variables": {
    "storageAccountName": "[tolower( concat( parameters('storageNamePrefix'), uniqueString(subscription().id, resourceGroup().id) ))]",
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[variables('storageAccountName')]",
      "apiVersion": "2016-01-01",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "Storage",
      "properties": {
        "encryption": {
          "keySource": "Microsoft.Storage",
          "services": {
            "blob": {
              "enabled": "[parameters('blobEncryptionEnabled')]"
            }
          }
        }
      }
    }
  ],
  "outputs": {
    "storageAccountName": {
      "type": "string",
      "value": "[variables('storageAccountName')]"
    }
  }
}

I've seen this on Azure Quickstart Templates, which seems to have the title of what I need, but I can't see where or how to add the key I would like to use..

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_RAGRS",
        "Standard_ZRS",
        "Premium_LRS"
      ],
      "metadata": {
        "description": "Storage Account type."
      }
    },
    "blobEncryptionEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Enable or disable Blob encryption at Rest."
      }
    }
  },
  "variables": {
    "storageAccountName": "[tolower( concat('sawithsse', substring(parameters('storageAccountType'), 0, 2), uniqueString(subscription().id, resourceGroup().id) ))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[variables('storageAccountName')]",
      "apiVersion": "2016-12-01",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "Storage",
      "properties": {
        "encryption": {
          "keySource": "Microsoft.Storage",
          "services": {
            "blob": {
              "enabled": "[parameters('blobEncryptionEnabled')]"
            }
          }
        }
      }
    }
  ],
  "outputs": {
    "storageAccountName": {
      "type": "string",
      "value": "[variables('storageAccountName')]"
    }
  }
}

The portal way of enabling customer key for encryption is outlined in the below link:

https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys

This link mentions the ability to use Powershell, but I can't find any reference for it.

Hope this makes sense.

Thanks in advance.. :)

1
Maybe you could check this link.Shui shengbao

1 Answers

1
votes

Something like this:

"properties": {
    "encryption": {
        "keySource": "Microsoft.Keyvault",
        "keyvaultproperties": {
            "keyname": xxx,
            "keyvaulturi": xxx,
            "keyversion": xxx
        }
    }
}

Source: https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/create#keyvaultproperties

another way, do it with powershell, add -debug and capture the rest call, port it to template.