admin管理员组文章数量:1279184
During my azure key vault creation I correctly enabled the soft delete and purge protection features. However, when attaching CMKs created in the key vault to my azure flexible mysql server I always encounter the Invalid URL error indicating that I should enable the soft delete and purge protection features. Creating resources with terraform or on the Azure Portal leads to this error.Key vault Properties
I believe my key URL is correct following the azure key URL format:
/%5C%5C\<version-number>
az keyvault show --name alle-ai-kv-d797aa8292 --query "{softDelete:properties.enableSoftDelete, purgeProtection:properties.enablePurgeProtection}"
{
"purgeProtection": true,
"softDelete": true
}
Below is the recovery level of my key. Is this the right recovery level for Azure MySql flexible servers CMKs? If not how do I modify the recovery level to the appropriate?
az keyvault key show --vault-name alle-ai-kv-d797aa8292 --name laravel-app-prod-attr1-attr2-cmk-key-v1 --query "{recoveryLevel:attributes.recove
ryLevel}"
{
"recoveryLevel": "CustomizedRecoverable"
}
Key permissions assigned to User Managed Identities includes: ["Get", "WrapKey", "UnwrapKey", "Encrypt", "Decrypt", "Verify", "Sign", "List"]
Error Message when creating resource with terraform
`│ Status: "SecurityInvalidAzureKeyVaultRecoveryLevel" │ Code: "" │ Message: "The provided Key Vault URL '/'<version-number>' is not valid. Please ensure the key vault has been configured with soft-delete and purge protection. ()." │ Activity Id: "" │ │ ---
It is important to note that creating resources with terraform or on the Azure Portal leads to same error.
What I am missing or doing wrong that is leading to this error?
During my azure key vault creation I correctly enabled the soft delete and purge protection features. However, when attaching CMKs created in the key vault to my azure flexible mysql server I always encounter the Invalid URL error indicating that I should enable the soft delete and purge protection features. Creating resources with terraform or on the Azure Portal leads to this error.Key vault Properties
I believe my key URL is correct following the azure key URL format:
https://alle-ai-kv-d797aa8292.vault.azure/keys/laravel-app-prod-attr1-attr2-cmk-key-v1/%5C%5C\<version-number>
az keyvault show --name alle-ai-kv-d797aa8292 --query "{softDelete:properties.enableSoftDelete, purgeProtection:properties.enablePurgeProtection}"
{
"purgeProtection": true,
"softDelete": true
}
Below is the recovery level of my key. Is this the right recovery level for Azure MySql flexible servers CMKs? If not how do I modify the recovery level to the appropriate?
az keyvault key show --vault-name alle-ai-kv-d797aa8292 --name laravel-app-prod-attr1-attr2-cmk-key-v1 --query "{recoveryLevel:attributes.recove
ryLevel}"
{
"recoveryLevel": "CustomizedRecoverable"
}
Key permissions assigned to User Managed Identities includes: ["Get", "WrapKey", "UnwrapKey", "Encrypt", "Decrypt", "Verify", "Sign", "List"]
Error Message when creating resource with terraform
`│ Status: "SecurityInvalidAzureKeyVaultRecoveryLevel" │ Code: "" │ Message: "The provided Key Vault URL 'https://alle-ai-kv-d797aa8292.vault.azure/keys/laravel-app-prod-attr1-attr2-cmk-key-v1/'<version-number>' is not valid. Please ensure the key vault has been configured with soft-delete and purge protection. (https://aka.ms/sqltdebyoksoftdelete)." │ Activity Id: "" │ │ ---
It is important to note that creating resources with terraform or on the Azure Portal leads to same error.
What I am missing or doing wrong that is leading to this error?
Share Improve this question asked Feb 24 at 2:55 Gyampoh EnochGyampoh Enoch 11 bronze badge 4 |1 Answer
Reset to default 0The provided key vault URL & Ensure the Key vault has been configured with Soft delete and Purge Protection in Azure
The key vault key was unable to be found because of the permission issue that happened with the use of the access policy that you provided to access the key vault.
To assign a User-managed identity to fetch the key for data encryption you need to use Access configuration with RBAC authentication with role instead of vault access policy.
When I try using the access policy even I get the same issue mentioning that "not able to find the mentioned key under key vault" which in general happens due to permission issues.
As per the screenshot mentioned it is necessary to use access configuration with the relevant role Key Vault Crypto Service Encryption User for user managed identity so that it can access the key without any permission issue.
While executing the command you got customizedRecoverable is also contributed to the issue because here you enabled soft deletion and purge protection but when you have done this is also considered because we need to enable both before key creation.
But in your case, this customizedRecoverable occurs when you provide the soft deletion first and then you create the key, and later purge protection is enabled this is the case when you run the command mentioned below you will get customizedRecoverable.
az keyvault key show --vault-name testadsafafa --name testkey --query "{recoveryLevel:attributes.recoveryLevel}"
But in my case, I enabled both before the key creation so I got this recoverable
Once these two steps are achieved then we need to go for the data encryption in my SQL flexible server as shown below.
Refer:
Set up Data Encryption By Using the Azure Portal - Azure Database for MySQL - Flexible Server | Microsoft Learn
https://learn.microsoft/en-us/azure/mysql/flexible-server/concepts-customer-managed-key#requirements-for-configuring-data-encryption-for-azure-database-for-mysql-flexible-server
本文标签:
版权声明:本文标题:terraform - The provided key vault URL is invalid. Ensure Key vault has been configured with Soft delete and Purge Protection in 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741296304a2370838.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
?api-version=7.4to your request and let me know it works or not? @Gyampoh – Pratik Jadhav Commented Feb 25 at 7:18