500 Server Error when creating Encryption scope for Storage account with UserAssigned identity
See original GitHub issueDescribe the bug While trying to create encryption scope with UserAssigned identity enabled Storage account, we are facing 500 server error.
To Reproduce
keyvault_name=<some_exisiting keyvault>
# URL to key uploaded to Keyvault in advance
keyvault_key_url=https://${keyvault_name}.vault.azure.net/keys/888
storacc=<any_valid_storacc_name>
rg=<resource_group_name> # existing resource group
region=germanywestcentral # region of resource group
identity_name=testidentity
# Creating access policy
az identity create --name $identity_name --resource-group $rg
identity_resource_id=`az identity show --name $identity_name --resource-group $rg | jq -r .id`
identity_client_id=`az identity show --name $identity_name --resource-group $rg | jq -r .clientId`
# Setting access policy for Managed Identity
az keyvault set-policy --key-permissions get unwrapKey wrapKey --object-id $identity_client_id \
--name $keyvault_name
# Creating Managed identity enabled storage account
az storage account create -n $storacc -g $rg -l $region --sku Standard_LRS \
--identity-type UserAssigned \
--user-identity-id $identity_resource_id
# Trying to create Encryption scope
az storage account encryption-scope create --name testencrscope \
--account-name $storacc \
--key-source Microsoft.KeyVault \
--key-uri $keyvault_key_url \
--require-infrastructure-encryption false \
--resource-group $rg
(UnexpectedException) The server was unable to complete your request.
Code: UnexpectedException
Message: The server was unable to complete your request.
If use Azure CLI cli with --debug
argument for the last command, output shows “500 Server Error”, so we assume that there are issues on Azure side with creation of encryption scope.
Expected behavior Successfully created encryption scope
Environment summary Commands are running in Azure Cloud Shell
az version
{
"azure-cli": "2.35.0",
"azure-cli-core": "2.35.0",
"azure-cli-telemetry": "1.0.6",
"extensions": {
"ai-examples": "0.2.5",
"ssh": "1.0.1"
}
}
Issue Analytics
- State:
- Created a year ago
- Comments:14 (8 by maintainers)
Top Results From Across the Web
Common errors with customer-managed keys in Azure Key Vault
Learn how to identify and resolve access issues and common errors with transparent data encryption (TDE) and customer-managed keys in Azure ...
Read more >Connect to storage account with firewalls enabled from SQL ...
We must use the ABFSS driver and Managed Service Identity Credential that connects to a Secured Storage account with Polybase.
Read more >Server Administration Guide - Keycloak
Consider creating an administrator account stored in the local Keycloak user database in case of problems connecting to your LDAP and back ends....
Read more >ECS Administration Guide - Dell
Dell EMC ECS provides a complete software-defined cloud storage platform that ... The default value for server-side encryption for buckets created in this....
Read more >Configuration | Grafana Loki documentation
The storage account name will # be prefixed to this value to create the FQDN. ... User assigned identity ID to authenticate to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Support request number 2204270050002231
@jango-free Thanks for getting back. I will keep you posted about the fix for the User Managed Identity then. I don’t have any ETA as of now on when the fix will be released for your Storage tenant. I will update this github thread once I hear from the Product Group team. Sorry for the inconvenience.