Azure / AppConfiguration

Questions, feedback and samples for Azure App Configuration service
MIT License
241 stars 73 forks source link

Can't enable encryption using Customer Managed Key #991

Open Pavkum007 opened 2 weeks ago

Pavkum007 commented 2 weeks ago

I can't enable encryption using Customer Managed Key.

the following resources are created :

  1. User Assigned managed identity
  2. Azure KeyVault with a RSA key added

the identity is assigned Contributor on subscription and KeyVault Crypto Officer and KeyVault Crypto Encryption User Roles on the KeyVault.

Now I am trying to create App Configuration from azure portal. When I enable "Customer Managed Key" in the Encryption tab. Select the Identity, Keyvault and the key - I get the following error on the screen - The selected identity must have “get”, “wrapKey” and “unwrapKey” permissions on the managed key.

Image

I am not sure what the issue is here. Can you please help

Pavkum007 commented 2 weeks ago

Hi Team, can you please help here?

juniwang commented 2 weeks ago

Hi @Pavkum007, thanks for reaching out. We're aware of this issue and are currently working to reproduce and identify the root cause. We'll keep you updated.

jiayi11 commented 1 week ago

Hi @Pavkum007, thanks for reporting this issue. This is a code defect in the portal, the fix of this issue will be deployed in the next round of release in the next few weeks. I'll let you know as soon as I have a more specific date. In the meanwhile, as a workaround, could you try to create the store first without enabling encryption, and then enable it from "Encryption" blade of the store?

Pavkum007 commented 1 week ago

Hello @jiayi11 I tried enabling Encryption - post the creation of App config store on portal. But it expects System Assigned Identity / User Assigned Identity to be enabled/added for the App config store and only then Encryption can be enabled. I did this, and was able to enable encryption.

Is this the case always that - to enable encryption - System/User assigned Identity should be enabled as pre-req?

How does the flow look like when enabling encyrption while creating the app config store (instead of post creation).

Because this similar behavior needs to be incorporated if users are creating app config store via Terraform,Bicep etc..

jiayi11 commented 1 week ago

@Pavkum007 Are you going to use system assigned or user assigned identity to enable encryption? Enabling encryption requires identity's ClientId and key vault's KeyId If you're going to use a user assigned identity, assigning the identity to the store is not a pre-req, you can add it to the store and use its clientId to enable encryption in the same request or within the same deployment template to create the store (that's how portal create store flow works). But if you need to use a system assigned identity, creating the system assigned identity would be a pre-req, as you will need to create it to get the clientId before use it for encryption.

Pavkum007 commented 1 week ago

I am using user assigned identity. Thank you @jiayi11 for the explanation. Got it working via Terraform, ARM template.

Will keep this thread open for updates on the bug fix on portal.