search

Azure / azure-service-operator

Azure Service Operator allows you to create Azure resources using kubectl
https://azure.github.io/azure-service-operator/
MIT License
741 stars 196 forks source link

Feature: Storage Account Creation with Encryption using Customer Managed Keys #4122

Closed ravichaudhary11 closed 2 months ago

ravichaudhary11 commented 4 months ago

I am trying to create storage account that uses customer-managed keys for encryption. Azure-Service Operator V2.7.0.

apiVersion: storage.azure.com/v1api20230101
kind: StorageAccount
metadata:
  name: standardcmk
  namespace: test
spec:
  azureName: clusterstandardcmk
  originalVersion: v1api20230101
  accessTier: Hot
  publicNetworkAccess: Disabled
  allowBlobPublicAccess: false
  location: westeurope
  kind: StorageV2
  sku:
   name: Standard_LRS
  owner:
    armId: /subscriptions/SUB_ID/resourceGroups/my-rg
  identity:
    type: UserAssigned
    principalId: Prinicpal_ID
    tenandId: Tenand-ID
    userAssignedIdentity: /subscriptions/SUB-ID/resourcegroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tst-identity
  encryption:
    keySource: Microsoft.Keyvault
    keyvaultproperties:
      keyvaulturi: https://vault_url
      keyname: ts-key-cmk
      keyversion: 9f56363yfhioh947990
    services:
      blob:
        keyType: Account
        enabled: true

EXPECTED Behaviour Account should get created with CMK

Error Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account. For more information, see - https://aka.ms/storagecmkconfiguration

RESPONSE 409: 409 Conflict ERROR CODE: FeatureNotSupportedForAccount

matthchr commented 4 months ago

Using customer-managed keys with Azure Storage encryption requires that both soft delete and purge protection be enabled for the key vault.

From the referenced aka.ms link, does your KeyVault have the correct configuration as per the requirements from storage?

ravichaudhary11 commented 4 months ago

Yes Both settings are enabled.

matthchr commented 4 months ago

have you also performed the required identity steps documented here?

It may be worth raising a support ticket on the StorageAccount. ASO is just sending this request to Azure and it is the Azure Storage service which is rejecting the request with an error. Unfortunately the error says "you must meet these prerequisites" but there are 4-5 different ones and it's not clear which one(s) you haven't satisfied.

Alternatively you can look at this ARM template example for storage accounts + CMK - you should be able to translate most/all of that into ASO resources. Possibly something in that template will jump you at you that you have not yet done via ASO.

ravichaudhary11 commented 3 months ago

Yes i granted this mentioned role "Key Vault Crypto Service Encryption User"to userassignedidentity on keyvault. And keyvault have soft-delete enabled, purge-protection enabled.

So above three conditions are satisfied. do you have other pre-requisites as well i see in the document these 3 are mentioned and satisfied. If there are other then please mention here.

matthchr commented 3 months ago

We're not sure what option you don't have set, but the storage API is rejecting the request because of the KeyVault configuration.

As mentioned above, recommend raising a support ticket for the StorageAccount and asking the support engineer to check which option is not configured correctly on the KeyVault.

theunrepentantgeek commented 2 months ago

No further response, so we're closing this. Feel free to reopen if needed.