search

Azure / azure-service-operator

Azure Service Operator allows you to create Azure resources using kubectl
https://azure.github.io/azure-service-operator/
MIT License
702 stars 188 forks source link

Feature: Storage Account Creation with Encryption using Customer Managed Keys #4122

Open ravichaudhary11 opened 1 week ago

ravichaudhary11 commented 1 week ago

I am trying to create storage account that uses customer-managed keys for encryption. Azure-Service Operator V2.7.0.

apiVersion: storage.azure.com/v1api20230101
kind: StorageAccount
metadata:
  name: standardcmk
  namespace: test
spec:
  azureName: clusterstandardcmk
  originalVersion: v1api20230101
  accessTier: Hot
  publicNetworkAccess: Disabled
  allowBlobPublicAccess: false
  location: westeurope
  kind: StorageV2
  sku:
   name: Standard_LRS
  owner:
    armId: /subscriptions/SUB_ID/resourceGroups/my-rg
  identity:
    type: UserAssigned
    principalId: Prinicpal_ID
    tenandId: Tenand-ID
    userAssignedIdentity: /subscriptions/SUB-ID/resourcegroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tst-identity
  encryption:
    keySource: Microsoft.Keyvault
    keyvaultproperties:
      keyvaulturi: https://vault_url
      keyname: ts-key-cmk
      keyversion: 9f56363yfhioh947990
    services:
      blob:
        keyType: Account
        enabled: true

EXPECTED Behaviour Account should get created with CMK

Error Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account. For more information, see - https://aka.ms/storagecmkconfiguration

RESPONSE 409: 409 Conflict ERROR CODE: FeatureNotSupportedForAccount

matthchr commented 3 days ago

Using customer-managed keys with Azure Storage encryption requires that both soft delete and purge protection be enabled for the key vault.

From the referenced aka.ms link, does your KeyVault have the correct configuration as per the requirements from storage?

ravichaudhary11 commented 2 days ago

Yes Both settings are enabled.