Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

500 Server Error when creating Encryption scope for Storage account with UserAssigned identity

See original GitHub issue

Describe the bug While trying to create encryption scope with UserAssigned identity enabled Storage account, we are facing 500 server error.

To Reproduce

keyvault_name=<some_exisiting keyvault>

# URL to key uploaded to Keyvault in advance
keyvault_key_url=https://${keyvault_name}.vault.azure.net/keys/888

storacc=<any_valid_storacc_name>

rg=<resource_group_name> # existing resource group
region=germanywestcentral # region of resource group

identity_name=testidentity

# Creating access policy
az identity create --name $identity_name --resource-group $rg
identity_resource_id=`az identity show --name $identity_name --resource-group $rg | jq -r .id`
identity_client_id=`az identity show --name $identity_name --resource-group $rg | jq -r .clientId`

# Setting access policy for Managed Identity
az keyvault set-policy --key-permissions get unwrapKey wrapKey --object-id $identity_client_id \
    --name $keyvault_name

# Creating Managed identity enabled storage account
az storage account create -n $storacc -g $rg -l $region --sku Standard_LRS \
    --identity-type UserAssigned \
    --user-identity-id $identity_resource_id

# Trying to create Encryption scope
az storage account encryption-scope create --name testencrscope \
                                           --account-name $storacc  \
                                           --key-source Microsoft.KeyVault \
                                           --key-uri $keyvault_key_url \
                                           --require-infrastructure-encryption false \
                                           --resource-group $rg

(UnexpectedException) The server was unable to complete your request.
Code: UnexpectedException
Message: The server was unable to complete your request.

If use Azure CLI cli with --debug argument for the last command, output shows “500 Server Error”, so we assume that there are issues on Azure side with creation of encryption scope.

Expected behavior Successfully created encryption scope

Environment summary Commands are running in Azure Cloud Shell

az version
{
  "azure-cli": "2.35.0",
  "azure-cli-core": "2.35.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {
    "ai-examples": "0.2.5",
    "ssh": "1.0.1"
  }
}

Issue Analytics

State:
Created a year ago
Comments:14 (8 by maintainers)

Top GitHub Comments

1reaction

jango-freecommented, Apr 28, 2022

Support request number 2204270050002231

1reaction

navba-MSFTcommented, Apr 26, 2022

@jango-free Thanks for getting back. I will keep you posted about the fix for the User Managed Identity then. I don’t have any ETA as of now on when the fix will be released for your Storage tenant. I will update this github thread once I hear from the Product Group team. Sorry for the inconvenience.

Top Results From Across the Web

Common errors with customer-managed keys in Azure Key Vault

Learn how to identify and resolve access issues and common errors with transparent data encryption (TDE) and customer-managed keys in Azure ...

Connect to storage account with firewalls enabled from SQL ...

We must use the ABFSS driver and Managed Service Identity Credential that connects to a Secured Storage account with Polybase.

Server Administration Guide - Keycloak

Consider creating an administrator account stored in the local Keycloak user database in case of problems connecting to your LDAP and back ends....

ECS Administration Guide - Dell

Dell EMC ECS provides a complete software-defined cloud storage platform that ... The default value for server-side encryption for buckets created in this....

Configuration | Grafana Loki documentation

The storage account name will # be prefixed to this value to create the FQDN. ... User assigned identity ID to authenticate to...