Azure-docs: Set-AzureRmKeyVaultAccessPolicy ... -PermissionsToStorage all fails

Created on 21 Jun 2018 · 7Comments · Source: MicrosoftDocs/azure-docs

Running this on my machine, I receive an error when running this command: Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $userPrincipalId -PermissionsToStorage all

Details to come.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: cebec73e-e7f4-75c5-2068-ae89f12d8d95
Version Independent ID: e2497a7b-3b5f-554a-1a31-da540740fcc9
Content: Azure Key Vault Storage Account Keys
Content Source: articles/key-vault/key-vault-ovw-storage-keys.md
Service: key-vault
GitHub Login: @lleonard-msft
Microsoft Alias: alleonar

assigned-to-author doc-enhancement key-vaulsvc triaged

Source

dneelyep

All 7 comments

Error message I receive:

Set-AzureRmKeyVaultAccessPolicy : Cannot validate argument on parameter 'PermissionsToStorage'. The argument "all" does not belong to the set
"get,list,delete,set,update,regeneratekey,getsas,listsas,deletesas,setsas,recover,backup,restore,purge" specified by the ValidateSet attribute. Supply an argument that is in the set and
then try the command again.

dneelyep on 21 Jun 2018

Output of calling Get-Module -List:

    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     0.5.1      Azure.AnalysisServices              {Add-AzureAnalysisServicesAccount, Restart-AzureAnalysisServicesInstance, Export-AzureAnalysisServicesInstanceLog, Sync-AzureAnal...
Script     0.5.0      Azure.AnalysisServices              {Add-AzureAnalysisServicesAccount, Restart-AzureAnalysisServicesInstance, Export-AzureAnalysisServicesInstanceLog, Sync-AzureAnal...
Script     4.3.0      Azure.Storage                       {Get-AzureStorageTable, New-AzureStorageTableSASToken, New-AzureStorageTableStoredAccessPolicy, New-AzureStorageTable...}
Script     4.1.1      Azure.Storage                       {Get-AzureStorageTable, New-AzureStorageTableSASToken, New-AzureStorageTableStoredAccessPolicy, New-AzureStorageTable...}
Script     6.2.1      AzureRM
Script     0.6.8      AzureRM.AnalysisServices            {Resume-AzureRmAnalysisServicesServer, Suspend-AzureRmAnalysisServicesServer, Get-AzureRmAnalysisServicesServer, Remove-AzureRmAn...
Script     6.1.0      AzureRM.ApiManagement               {Add-AzureRmApiManagementRegion, Get-AzureRmApiManagementSsoToken, New-AzureRmApiManagementHostnameConfiguration, New-AzureRmApiM...
Script     0.1.4      AzureRM.ApplicationInsights         {Get-AzureRmApplicationInsights, New-AzureRmApplicationInsights, Remove-AzureRmApplicationInsights, Set-AzureRmApplicationInsight...
Script     5.0.0      AzureRM.Automation                  {Get-AzureRMAutomationHybridWorkerGroup, Get-AzureRmAutomationJobOutputRecord, Import-AzureRmAutomationDscNodeConfiguration, Expo...
Script     4.0.5      AzureRM.Backup                      {Backup-AzureRmBackupItem, Enable-AzureRmBackupContainerReregistration, Get-AzureRmBackupContainer, Register-AzureRmBackupContain...
Script     4.1.0      AzureRM.Batch                       {Remove-AzureRmBatchAccount, Get-AzureRmBatchAccount, Get-AzureRmBatchAccountKeys, New-AzureRmBatchAccount...}
Script     0.14.2     AzureRM.Billing                     {Get-AzureRmBillingInvoice, Get-AzureRmBillingPeriod, Get-AzureRmEnrollmentAccount}
Script     5.0.0      AzureRM.Cdn                         {Get-AzureRmCdnProfile, Get-AzureRmCdnProfileSsoUrl, New-AzureRmCdnProfile, Remove-AzureRmCdnProfile...}
Script     0.9.5      AzureRM.CognitiveServices           {Get-AzureRmCognitiveServicesAccount, Get-AzureRmCognitiveServicesAccountKey, Get-AzureRmCognitiveServicesAccountSkus, Get-AzureR...
Script     5.1.0      AzureRM.Compute                     {Remove-AzureRmAvailabilitySet, Get-AzureRmAvailabilitySet, New-AzureRmAvailabilitySet, Update-AzureRmAvailabilitySet...}
Script     0.3.3      AzureRM.Consumption                 Get-AzureRmConsumptionUsageDetail
Script     0.2.6      AzureRM.ContainerInstance           {New-AzureRmContainerGroup, Get-AzureRmContainerGroup, Remove-AzureRmContainerGroup, Get-AzureRmContainerInstanceLog}
Script     1.0.5      AzureRM.ContainerRegistry           {New-AzureRmContainerRegistry, Get-AzureRmContainerRegistry, Update-AzureRmContainerRegistry, Remove-AzureRmContainerRegistry...}
Script     5.0.0      AzureRM.DataFactories               {Remove-AzureRmDataFactory, Get-AzureRmDataFactoryRun, Get-AzureRmDataFactorySlice, Save-AzureRmDataFactoryLog...}
Script     0.5.5      AzureRM.DataFactoryV2               {Set-AzureRmDataFactoryV2, Update-AzureRmDataFactoryV2, Get-AzureRmDataFactoryV2, Remove-AzureRmDataFactoryV2...}
Script     5.0.0      AzureRM.DataLakeAnalytics           {Get-AzureRmDataLakeAnalyticsDataSource, New-AzureRmDataLakeAnalyticsCatalogCredential, Remove-AzureRmDataLakeAnalyticsCatalogCre...
Script     6.0.1      AzureRM.DataLakeStore               {Get-AzureRmDataLakeStoreTrustedIdProvider, Remove-AzureRmDataLakeStoreTrustedIdProvider, Remove-AzureRmDataLakeStoreFirewallRule...
Script     4.0.5      AzureRM.DevTestLabs                 {Get-AzureRmDtlAllowedVMSizesPolicy, Get-AzureRmDtlAutoShutdownPolicy, Get-AzureRmDtlAutoStartPolicy, Get-AzureRmDtlVMsPerLabPoli...
Script     5.0.0      AzureRM.Dns                         {Get-AzureRmDnsRecordSet, New-AzureRmDnsRecordConfig, Remove-AzureRmDnsRecordSet, Set-AzureRmDnsRecordSet...}
Script     0.3.3      AzureRM.EventGrid                   {New-AzureRmEventGridTopic, Get-AzureRmEventGridTopic, Set-AzureRmEventGridTopic, New-AzureRmEventGridTopicKey...}
Script     0.6.4      AzureRM.EventHub                    {New-AzureRmEventHubNamespace, Get-AzureRmEventHubNamespace, Set-AzureRmEventHubNamespace, Remove-AzureRmEventHubNamespace...}
Script     4.1.3      AzureRM.HDInsight                   {Get-AzureRmHDInsightJob, New-AzureRmHDInsightSqoopJobDefinition, Wait-AzureRmHDInsightJob, New-AzureRmHDInsightStreamingMapReduc...
Script     5.0.0      AzureRM.Insights                    {Get-AzureRmMetricDefinition, Get-AzureRmMetric, Remove-AzureRmLogProfile, Get-AzureRmLogProfile...}
Script     3.1.3      AzureRM.IotHub                      {Add-AzureRmIotHubKey, Get-AzureRmIotHubEventHubConsumerGroup, Get-AzureRmIotHubConnectionString, Get-AzureRmIotHubJob...}
Script     5.0.1      AzureRM.KeyVault                    {Add-AzureKeyVaultCertificate, Update-AzureKeyVaultCertificate, Stop-AzureKeyVaultCertificateOperation, Get-AzureKeyVaultCertific...
Script     4.0.4      AzureRM.LogicApp                    {Get-AzureRmIntegrationAccountAgreement, Get-AzureRmIntegrationAccountCallbackUrl, Get-AzureRmIntegrationAccountCertificate, Get-...
Script     0.18.0     AzureRM.MachineLearning             {Move-AzureRmMlCommitmentAssociation, Get-AzureRmMlCommitmentAssociation, Get-AzureRmMlCommitmentPlanUsageHistory, Remove-AzureRm...
Script     0.4.3      AzureRM.MachineLearningCompute      {Get-AzureRmMlOpCluster, Get-AzureRmMlOpClusterKey, Test-AzureRmMlOpClusterSystemServicesUpdateAvailability, Update-AzureRmMlOpCl...
Script     0.2.2      AzureRM.MarketplaceOrdering         {Get-AzureRmMarketplaceTerms, Set-AzureRmMarketplaceTerms}
Script     0.10.0     AzureRM.Media                       {Sync-AzureRmMediaServiceStorageKeys, Set-AzureRmMediaServiceKey, Get-AzureRmMediaServiceKeys, Get-AzureRmMediaServiceNameAvailab...
Script     6.2.0      AzureRM.Network                     {Add-AzureRmApplicationGatewayAuthenticationCertificate, Get-AzureRmApplicationGatewayAuthenticationCertificate, New-AzureRmAppli...
Script     5.0.0      AzureRM.NotificationHubs            {Get-AzureRmNotificationHub, Get-AzureRmNotificationHubAuthorizationRules, Get-AzureRmNotificationHubListKeys, Get-AzureRmNotific...
Script     5.0.1      AzureRM.OperationalInsights         {New-AzureRmOperationalInsightsAzureActivityLogDataSource, New-AzureRmOperationalInsightsCustomLogDataSource, Disable-AzureRmOper...
Script     4.1.5      AzureRM.PowerBIEmbedded             {Remove-AzureRmPowerBIWorkspaceCollection, Get-AzureRmPowerBIWorkspaceCollection, Get-AzureRmPowerBIWorkspaceCollectionAccessKeys...
Script     5.2.0      AzureRM.profile                     {Disable-AzureRmDataCollection, Disable-AzureRmContextAutosave, Enable-AzureRmDataCollection, Enable-AzureRmContextAutosave...}
Script     4.1.3      AzureRM.RecoveryServices            {Get-AzureRmRecoveryServicesBackupProperty, Get-AzureRmRecoveryServicesVault, Get-AzureRmRecoveryServicesVaultSettingsFile, New-A...
Script     4.1.3      AzureRM.RecoveryServices.Backup     {Backup-AzureRmRecoveryServicesBackupItem, Get-AzureRmRecoveryServicesBackupManagementServer, Get-AzureRmRecoveryServicesBackupCo...
Script     0.2.5      AzureRM.RecoveryServices.SiteRec... {Edit-AzureRmRecoveryServicesAsrRecoveryPlan, Get-AzureRmRecoveryServicesAsrAlertSetting, Get-AzureRmRecoveryServicesAsrEvent, Ge...
Script     5.0.0      AzureRM.RedisCache                  {Remove-AzureRmRedisCachePatchSchedule, New-AzureRmRedisCacheScheduleEntry, Get-AzureRmRedisCachePatchSchedule, New-AzureRmRedisC...
Script     0.3.4      AzureRM.Relay                       {New-AzureRmRelayNamespace, Get-AzureRmRelayNamespace, Set-AzureRmRelayNamespace, Remove-AzureRmRelayNamespace...}
Script     6.1.0      AzureRM.Resources                   {Get-AzureRmProviderOperation, Remove-AzureRmRoleAssignment, Get-AzureRmRoleAssignment, New-AzureRmRoleAssignment...}
Script     0.16.5     AzureRM.Scheduler                   {Disable-AzureRmSchedulerJobCollection, Enable-AzureRmSchedulerJobCollection, Get-AzureRmSchedulerJobCollection, Get-AzureRmSched...
Script     0.6.5      AzureRM.ServiceBus                  {New-AzureRmServiceBusNamespace, Get-AzureRmServiceBusNamespace, Set-AzureRmServiceBusNamespace, Remove-AzureRmServiceBusNamespac...
Script     0.3.6      AzureRM.ServiceFabric               {Add-AzureRmServiceFabricApplicationCertificate, Add-AzureRmServiceFabricClientCertificate, Add-AzureRmServiceFabricClusterCertif...
Script     4.6.0      AzureRM.Sql                         {Get-AzureRmSqlDatabaseTransparentDataEncryption, Get-AzureRmSqlDatabaseTransparentDataEncryptionActivity, Set-AzureRmSqlDatabase...
Script     5.0.0      AzureRM.Storage                     {Get-AzureRmStorageAccount, Get-AzureRmStorageAccountKey, New-AzureRmStorageAccount, New-AzureRmStorageAccountKey...}
Script     4.0.5      AzureRM.StreamAnalytics             {Get-AzureRmStreamAnalyticsFunction, Get-AzureRmStreamAnalyticsDefaultFunctionDefinition, New-AzureRmStreamAnalyticsFunction, Rem...
Script     4.0.2      AzureRM.Tags                        {Remove-AzureRmTag, Get-AzureRmTag, New-AzureRmTag}
Script     4.0.5      AzureRM.TrafficManager              {Disable-AzureRmTrafficManagerEndpoint, Enable-AzureRmTrafficManagerEndpoint, Set-AzureRmTrafficManagerEndpoint, Get-AzureRmTraff...
Script     4.0.3      AzureRM.UsageAggregates             Get-UsageAggregates
Script     5.0.2      AzureRM.Websites                    {Get-AzureRmAppServicePlan, Set-AzureRmAppServicePlan, New-AzureRmAppServicePlan, Remove-AzureRmAppServicePlan...}
Binary     1.0.0.1    PackageManagement                   {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...}
Binary     1.0.0.1    PackageManagement                   {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...}
Script     0.7.3      posh-git                            {Invoke-NullCoalescing, Add-PoshGitToProfile, Get-PromptPath, Write-GitStatus...}
Script     1.0.0.1    PowerShellGet                       {Install-Module, Find-Module, Save-Module, Update-Module...}
Script     1.0.0.1    PowerShellGet                       {Install-Module, Find-Module, Save-Module, Update-Module...}


    Directory: C:\windows\system32\WindowsPowerShell\v1.0\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   1.0.0.0    AppLocker                           {Set-AppLockerPolicy, Get-AppLockerPolicy, Test-AppLockerPolicy, Get-AppLockerFileInformation...}
Manifest   1.0.0.0    BitsTransfer                        {Add-BitsFile, Remove-BitsTransfer, Complete-BitsTransfer, Get-BitsTransfer...}
Manifest   1.0.0.0    CimCmdlets                          {Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance, Get-CimSession...}
Script     1.0.0.0    ISE                                 {New-IseSnippet, Import-IseSnippet, Get-IseSnippet}
Manifest   1.0.1.0    Microsoft.PowerShell.Archive        {Compress-Archive, Expand-Archive}
Manifest   3.0.0.0    Microsoft.PowerShell.Diagnostics    {Get-WinEvent, Get-Counter, Import-Counter, Export-Counter...}
Manifest   3.0.0.0    Microsoft.PowerShell.Host           {Start-Transcript, Stop-Transcript}
Manifest   1.0.0.0    Microsoft.PowerShell.LocalAccounts  {Add-LocalGroupMember, Disable-LocalUser, Enable-LocalUser, Get-LocalGroup...}
Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Content, Clear-Content, Clear-ItemProperty, Join-Path...}
Script     1.0        Microsoft.PowerShell.ODataUtils     Export-ODataEndpointProxy
Manifest   3.0.0.0    Microsoft.PowerShell.Security       {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credential...}
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Format-List, Format-Custom, Format-Table, Format-Wide...}
Manifest   3.0.0.0    Microsoft.WSMan.Management          {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WSManCredSSP, Set-WSManQuickConfig...}
Manifest   1.0.0.0    NetworkSwitchManager                {Disable-NetworkSwitchEthernetPort, Enable-NetworkSwitchEthernetPort, Get-NetworkSwitchEthernetPort, Remove-NetworkSwitchEthernet...
Manifest   1.1        PSDesiredStateConfiguration         {Set-DscLocalConfigurationManager, Start-DscConfiguration, Test-DscConfiguration, Publish-DscConfiguration...}
Script     1.0.0.0    PSDiagnostics                       {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace...}
Binary     1.1.0.0    PSScheduledJob                      {New-JobTrigger, Add-JobTrigger, Remove-JobTrigger, Get-JobTrigger...}
Manifest   2.0.0.0    PSWorkflow                          {New-PSWorkflowExecutionOption, New-PSWorkflowSession, nwsn}
Manifest   1.0.0.0    PSWorkflowUtility                   Invoke-AsWorkflow
Manifest   1.0.0.0    TroubleshootingPack                 {Get-TroubleshootingPack, Invoke-TroubleshootingPack}
Manifest   1.0.0.0    WebAdministration                   {Start-WebCommitDelay, Stop-WebCommitDelay, Get-WebConfigurationLock, Remove-WebConfigurationLock...}


    Directory: C:\Users\NeelD\.vscode\extensions\ms-vscode.powershell-1.7.0\modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.1.3      Plaster                             {Invoke-Plaster, New-PlasterManifest, Get-PlasterTemplate, Test-PlasterManifest}
Script     1.7.0      PowerShellEditorServices            {Start-EditorServicesHost, Get-PowerShellEditorServicesVersion, Compress-LogDir}
Script     0.2.0      PowerShellEditorServices.VSCode     {New-VSCodeHtmlContentView, Show-VSCodeHtmlContentView, Close-VSCodeHtmlContentView, Set-VSCodeHtmlContentView...}
Script     1.16.1     PSScriptAnalyzer                    {Get-ScriptAnalyzerRule, Invoke-ScriptAnalyzer, Invoke-Formatter}

dneelyep on 21 Jun 2018

To work around this, I used this command instead, which seemed to work:
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $userPrincipalId -PermissionsToStorage get,list,delete,set,update,regeneratekey,getsas,listsas,deletesas,setsas,recover,backup,restore,purge

dneelyep on 21 Jun 2018

👍1

@dneelyep Thanks for your feedback! We will investigate and update as appropriate.

MohitGargMSFT on 21 Jun 2018

👍1

@dneelyep I am also getting the same error with the AzureRM.KeyVault version 5.0.1. I have assigned this issue to content author to investigate and update the document as appropriate.

SaurabhSharma-MSFT on 22 Jun 2018

👍1

Same error here.

`> Get-Module | ? name -eq AzureRM.KeyVault

ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 5.0.2 AzureRM.KeyVault {Add-AzureKeyVaultCertificate, Add-AzureKeyVaultCertificateContact, Add-AzureKeyVaultKey, Add-AzureKeyVaultManagedStorageAccount...} `

The following works
> Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $userPrincipalId -PermissionsToStorage get,list,delete,set,update,regeneratekey,getsas,listsas,deletesas,setsas,recover,backup,restore,purge

mb01r on 18 Jul 2018

All - Please accept our apologies for the long delay on this. I've gone through all of the Key Vault articles, including the one identified in this issue, and resolved the "all" permission string issue. These changes will publish within the next 24 hours. As such, this issue will be closed now, but please let us know if you have any additional questions or concerns. Thanks again for reporting this and for your patience.