Closed marcosrivera-ms closed 3 years ago
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.
Author: | marcosrivera-ms |
---|---|
Assignees: | - |
Labels: | `Service Attention`, `Storage`, `customer-reported`, `needs-triage`, `question` |
Milestone: | - |
@marcosrivera-ms Would you please share why you think "Using Set-AzStorageAccount to change storage account to auto update enabled is not working when URI key is set."? What's the unexpected behavior?
From the debug log you share, it seems the cmdlet runs successfully. From the error log, it looks not related with the debug log, should be some old error like $key.Name has no value. As you have success debug log, this error should already be resolved.
@blueww Basically when the URI is set for the storage account, Cx wants to use Set-AzStorageAccount based on the mentioned link to use auto rotation for keys. When using this command, it shows succeeded but does not change it. If I set it to Microsoft Managed Keys 1st then re-run the command it also shows succeeded but it also correctly changes it to auto rotated keys. The expected behavior should be when using URI in Custom Managed keys and using this command to change to auto rotated, that it would change to auto rotated or throw a failure.
@marcosrivera-ms Thanks for clarify this! I am clear on it now: The issue it: When the account already has keyvaultUri+KeyName+Keyversion, update account with only keyvaultUri+KeyName won't clean up the keyversion.
This is server behavior, I will check with the server team to see is there any way to remove the keyversion directly. (Without set the account to Microsoft-managed keys, then set back to keyvault.) And update you later.
Btw, I think you are not blocked now as you can set the account to Microsoft-managed keys, then set back to keyvault.
@marcosrivera-ms Have raised PR https://github.com/Azure/azure-powershell/pull/14806 to fix this issue. User can set keyversion to "" to enabled key auto rotation, after the fix is released.
Set-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -KeyvaultEncryption -KeyName $key.Name -KeyVersion "" -KeyVaultUri $keyVault.VaultUri
@blueww Really Appreciate the help. Do you know how long on avg it would take for the fix to be released?
@marcosrivera-ms The next Powershell release target 5/4.
@marcosrivera-ms The fix is released in: Github: https://github.com/Azure/azure-powershell/releases/tag/v5.9.0-May2021 Gallery Module for Azure PowerShell : https://www.powershellgallery.com/packages/Az/5.9.0
I will close the issue. Feel free to contact us again if you need any further assistance on Azure Powershell.
Description
Using Set-AzStorageAccount to change storage account to auto update enabled is not working when URI key is set. This does not even produce an error and shows succeeded output when running the script provided in below URL. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=powershell#configure-encryption-for-automatic-updating-of-key-versions
This works when the Storage Account Encryption is set to Microsoft-managed keys but not when Customer-managed keys is set use key URI
Steps to reproduce
Environment data
Module versions
Debug output
Error output