Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az vm encryption enable- doesn't allow for different key vault resource group

See original GitHub issue

Description

Outline the issue here: az vm encryption enable cmd does not allow specifying a different resource group for the key vault from the resource group the VM resides in. Az CLI 1.0 did allow for this. I can perform disk encryption via PowerShell though on the same VM and with the same Key Vault.

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here: used CloudShell

CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here: az --version 2.0

OS Version: What OS and version are you using?
Answer here: Windows 10 15063.540

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here: Cloud Shell in Azure portal

Issue Analytics

State:
Created 6 years ago
Comments:20 (8 by maintainers)

Top GitHub Comments

2reactions

davids-pcommented, Dec 16, 2019

I don’t see that a solution was provided here so I thought I’d post one:

In Azure CLI, when a Key Vault exists in a separate resource group, if you use the full Resource ID property of the Key Vault, instead of just the Key Vault name, it will work:

az vm encryption enable -g MyResourceGroupName --name MyVMName --disk-encryption-keyvault /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyResourceGroupName/providers/Microsoft.KeyVault/vaults/MyKeyVaultName

1reaction

nahalfcommented, Aug 25, 2017

@tjprescott I provided the resourceID in this format: /subscriptions/3fd58db1-6100-4fa1-b575-5856e3364898/resourceGroups/s00140nrgpkvt00001/providers/Microsoft.KeyVault/vaults/s00140cnkvt00001

I provided a value of TestRG for the VM resource group, and I received this error message: key Vault https://s00140cnkvt00001.vault.azure.net/secrets/7CFFFBA6-5ACA-41E5-9FAE-72E9CD7629F6/876d366d2a8446e696c2b58847c26ce7 either has not been enabled for Volume Encryption or the vault id provided does not match /subscriptions/3fd58db1-6100-4fa1-b575-5856e3364898/resourceGroups/TestRG/providers/Microsoft.KeyVault/vaults/s00140cnkvt00001’s true resource id.

So even though the resourceID indicates belonging to a different resource group, it is still attempting to find the key vault in the TestRG resource group, which makes it sound like there’s a bug.

Top Results From Across the Web

Creating and configuring a key vault for ... - Microsoft Learn

This article provides steps for creating and configuring a key vault for use with Azure Disk Encryption on a Windows VM.

az vm encryption enable- doesn't allow for different key vault ...

az vm encryption enable cmd does not allow specifying a different resource group for the key vault from the resource group the VM...

Enabling disk encryption on Virtual Machines in Azure

Creating the virtual machine. To enable disk encryption we use Azure Disk Encryption (ADE), Azure Key Vault, the Azure Portal and PowerShell.

Ensure Azure VM data disk is encrypted with ADE/CMK

Encrypt your VM with az vm encryption, providing your unique Key Vault name to the --disk-encryption-keyvault parameter. Shell. az vm encryption enable -g ......

Enable BitLocker Encryption Key (BEK) - Magrin One

Select what to encrypt (OS only or OS and Data disks), Key vault and accept the prompt for VM reboot. Via Azure CLI:...