'getting error while performing azurerm_storage_account_customer_managed_key
I have AAA key-vault 1>I have created user assigned identity BBB & provided the access to AAA key-vault under access-policies. 2>I have created new key in key-vault 'access-key' with RSA-HSM encryption. 3>I am creating new storage account. 4>I am adding the customer managed key to the storage account like below.
resource "azurerm_key_vault_key" "key" {
name = "access-key"
key_vault_id = var.app_root_key_vault_id
key_type = "RSA-HSM"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey",
"verify",
"wrapKey"]
}
resource "azurerm_user_assigned_identity" "UserMangedIdentity" {
resource_group_name = var.resource_group.name
location = var.resource_group.location
name = "keyvaultidentity"
}
resource "azurerm_storage_account_customer_managed_key" "encryption" {
storage_account_id = azurerm_storage_account.storageaccount.id
key_vault_id = var.key_vault_id
key_name = azurerm_key_vault_key.key.name
user_assigned_identity_id = azurerm_user_assigned_identity.UserMangedIdentity.id
}
But while adding this encryption I am getting below error
"storage.AccountsClient#Update: Failure responding to request: StatusCode=400 -- Original
Error: autorest/azure: Service returned an error. Status=400
Code="InvalidValuesForRequestParameters" Message="Values for request parameters are invalid:
properties.encryption.identity."
Solution 1:[1]
I tried to do the same in my environment by modifying the terraform code like below:
provider "azurerm"
{
features{ }
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "example"
{
name = "***********"
}
resource "azurerm_key_vault" "example"
{
name = "**********"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "storage"
{
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.example.identity.0.principal_id
key_permissions = ["Get"]
secret_permissions = ["Get"]
}
resource "azurerm_key_vault_access_policy" "client"
{
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get"]
secret_permissions = ["Get"]
}
resource "azurerm_key_vault_key" "example"
{
name = "**********"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.storage,
]
}
resource "azurerm_user_assigned_identity" "UserMangedIdentity"
{
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
name = "keyvaultidentitytest"
}
resource "azurerm_storage_account" "example"
{
name = "************"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account_customer_managed_key" "example"
{
storage_account_id = azurerm_storage_account.example.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
user_assigned_identity_id = azurerm_user_assigned_identity.UserMangedIdentity.id
}
After running above code, storage account, UserManagedIdentity and Keyvault are created successfully in Azure Portal without any error.
As I don't have permissions to create keys inside the created keyvault, I am getting below error:
Please try the above code in your environment and it should run without any issues, let me know if still error persists.
Reference: azurerm_storage_account_customer_managed_key | Resources | hashicorp/azurerm | Terraform Registry
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | SrideviMachavarapu-MT |