You want to change the encryption configuration for an Azure Storage account from Microsoft-managed key to Customer-managed key.
You click Customer-managed keys, you select a Key Vault and click Save
But you receive the below error,
Your system-assigned identity does not have access to the key vault. You can request access to the key vault by sending your admin the object ID from Identity under Security + networking when system-assigned status is enabled.
You have an issue, you can’t grant the storage account access to the KeyVault until a System Assigned Identity has been created, however, in this case we’re receiving an error that the Storage account does not have access to your Key Vault and therefore you need to grant access.
What you’ll find, that even though you receive the error above when clicking save, a system assigned Identity is created. So the process partially completes the setup but then errors, but the system assigned Identity is created.
- Go to your Key Vault
- Click Access Control (IAM) from the left pane if using RBAC and not access policies. If using the latter, click access policies from the left pane and configure your permissions accordingly.
- Click Add > Add Role Assignment
- Search for the role you wish to assign to the storage accounts system assigned Identity
- Click Next
- Click Managed Identity and +Select members
7. Click Next
8. From the Managed Identity drop down, select Storage Accounts and you should find your storage account System Assigned Identity listed
Hope this helps. See you at the next post.
