Azure storage account encryption with customer managed keys

1
votes

I have added below properties to arm template (link) to create storage accounts and encrypt them with customer managed keys.

"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
    "keyname": "xxxx",
     "keyversion": "xxxxxx",
     "keyvaulturi": "xxxxxxx"
}

But when I try to create this resource I get

"Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account."

1
azureazure-storage
I know the solution, but seems you never accept other's answer.:-(Joy Wang

1 Answers

0
votes

The reason is the storage account service principal(managed idendity) is not having access to the encryption key in Azure key vault. You cannot give the access in advance until storage account (service principal - managed idendity) is created.

But I see that the storage account managed identity is not created automatically. It is created at the time when we enable the encryption.