Azure-docs: Managed storage account keys using service principal
Hello! I am facing this issue when following the steps in doc https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys.
In the Add-AzureKeyVaultManagedStorageAccount with auto generate key I am getting below error from PS>
Add-AzureKeyVaultManagedStorageAccount : Key Vault is unable to perform the action on behalf of the caller.Please contact your administrator for more details
This seems to be an issue when doing the Managed Storage account with a service principal(for automation purposes) instead of an user. I tried with an user and it worked. It is failing only when using a SP.
Adding my whole script>
1) az login --service-principal -u "xxxxxxxxxxxxx" -p "xxxxxxxxxxxxxxxx" --tenant "xxxxxxxxxxxxxxxxxx"
2) az role assignment create --role 'Storage Account Key Operator Service Role' --assignee-object-id "xxxxxxxxxxxxx" --scope "xxxxxxxxxxxxx"
3) az keyvault set-policy -n "ContosoKV" --spn "xxxxxxxxxxxxxxxxxx" --storage-permissions set get list regeneratekey --key-permissions decrypt sign get unwrapKey
4) az keyvault storage add --vault-name "ContosoKV" -n "contosokeyvaultlogs" --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id "xxxxxxxxxxxxxxxxxxxxxxxxxx"
Output on 4th step>
Key Vault is unable to perform the action on behalf of the caller.Please contact your administrator for more details.
Any advice? related posts #8179 #8015
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: cebec73e-e7f4-75c5-2068-ae89f12d8d95
- Version Independent ID: e2497a7b-3b5f-554a-1a31-da540740fcc9
- Content: Azure Key Vault managed storage account - CLI
- Content Source: articles/key-vault/key-vault-ovw-storage-keys.md
- Service: key-vault
- GitHub Login: @prashanthyv
- Microsoft Alias: pryerram
FabianGCZ
All 18 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
mimckitt
on 3 Mar 2019
@FabianGCZ I am looking into this with the product team and will keep you posted.
MarileeTurscak-MSFT
on 5 Mar 2019
Hi @FabianGCZ ,
The reason you are having this issue is because this needs to be done with a user account and not a service principal. @prashanthyv is adding a note in the document to clarify this.
MarileeTurscak-MSFT
on 11 Mar 2019
Hello Marilee, just talked to Prashanth and confirmed this is not supported atm. Thanks.
FabianGCZ
on 11 Mar 2019
Service principals used to be supported. Are there any plans to bring that functionality back?
bernitorres
on 3 Apr 2019
HI @bernitorres - Service Principal to ask Key Vault to manage storage account was not.
prashanthyv
on 3 Apr 2019
Thanks @prashanthyv. I must have misunderstood some docs.
Are there any plans for that functionality? In particular, I would like to set up a managed storage account in KeyVault, using Azure DevOps, which has a service principal with access to my subscription already. What would be the best way to enable this automation?
bernitorres
on 3 Apr 2019
I'm in need of the same functionality as @bernitorres @FabianGCZ. Have any of you found a way to do this, or has it been a functionality already added?
juanp3053
on 14 May 2019
Same problem here, I'm trying to automate this step on our pipelines, since our apps are connecting to a storage account with key vault. Is there any plan to enable this in the near future? Is there any recommendation on how to handle this on CI/CD pipelines?
CaioCavalcanti
on 9 Jul 2019
It's not possible to create KeyVaultManagedStorageAccount with ARM template, and also it's not possible to create it with Service Principal. Could you please advice what is the best practice of deploying it? Especially considering, that usually all CI pipelines are using SP.
vitalii-lebedev
on 7 Oct 2019
@prashanthyv @MarileeTurscak-MSFT
I think fixing this should be a higher priority. Microsoft frequently promotes Service Principals / Managed Identities for use in automation, but this is a bit of a showstopper (at least when it comes to using Key Vault to manage access to storage accounts).
@vitalii-lebedev I guess the only workaround for now would be to create a special "key vault storage automation" user account. I haven't tried it yet, but I'm thinking something like this would work in automation scripts:
Acting as a service principal:
- Create the key vault and storage account
- Give an appropriate role assignment to the "key vault storage automation" user account so that it can run
az keyvault storage add/Add-AzKeyVaultManagedStorageAccount. - Login with "key vault automation" username/password (must have 2FA disabled)
Acting as "key vault automation" user:
- Run
az keyvault storage add/Add-AzKeyVaultManagedStorageAccount - Log back in with service principal credentials
Acting as a service principal:
- Continue running any additional commands in your automation scripts.
The above process strikes me as less secure than using a service principal to add Key Vault managed storage.
amasover
on 27 Dec 2019
Very frustrating this can’t be done with SP
natelaff
on 4 Jan 2020
When can we expect this to work for managed identities or service principals? Running one off commands with a "user" account is less secure and unnecessarily complicated for CI/CD.
We _were_ planning on having auto rotate setup on all our storage accounts by default with an aggressive regeneration period _($1 per key rotation)_ . I suspect we are not the only large enterprise that would leverage this feature if it's fixed.
schlbra
on 13 Feb 2020
Given the fact, that ARM templates do not support AKV Managed Storage Account creation, I was hoping to get at least partial unattended automation using Az cmdlets. Our team is managing 1000+ AKV managed storage accounts. I spent two nights on finding what I am doing wrong unless I arrived in this thread. However reading this I give up. It looks like there is really no way to create them without user principal and thus in fully automated manner, such as using Azure DevOps pipelines. Still adding my vote for this capability to allow SP creating managed SA.
IF SP can be the owner of the entire subscription and do anything with resources, I really don't see any point in preventing SP from doing this.
cimorar
on 21 Feb 2020
Is there any updates on this? are there any plans to add the ability for Service Principals to create Managed Storage Accounts in the near future? @MarileeTurscak-MSFT @prashanthyv
juanp3053
on 28 Apr 2020
I'd rather just handle this myself at this point, but there doesn't seem to be a public API to swap the keys to achieve this same effect (you can regenerate them, but you can't swap key2 into key1), so whatever this process does has access to things that we otherwise can't do.
natelaff
on 28 Apr 2020
We are developing an enterprise cloud based app based completely on Azure services. We need this functionality. Will this be added? @MarileeTurscak-MSFT @prashanthyv
shudson302
on 29 Apr 2020
I'm getting error
Get-AzKeyVaultManagedStorageAccount : Operation returned an invalid status code 'Forbidden'
when running the command from automation runbook, logged in to Azure with SP for automation account. The same command works when running under user account with the same permissions (RBAC and access policy)
I guess this is because SP is not supported for this as well?
If so, please take this as +1 for supporting SP when dealing with keyVault management of keys of storage account.
Thank you
jformacek
on 2 Jun 2020
Related issues
behnam89
·
3Comments
AronT-TLV
·
3Comments
bityob
·
3Comments
Agazoth
·
3Comments
monteledwards
·
3Comments
Most helpful comment
Very frustrating this can’t be done with SP