Azure-docs: What does "data" mean?
This wording is ambiguous: If the namespace contains data, then the encryption operation will fail
Does "data" mean messages? Or any entities (queues, topics, subscriptions, filters, SAPs) or both?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 1db9116e-3b52-6b12-3de0-df30c02cd4bb
- Version Independent ID: 45d2a29c-f5f2-6908-1db6-1a7c161bc04f
- Content: Configure your own key for encrypting Azure Service Bus data at rest - Azure Service Bus
- Content Source: articles/service-bus-messaging/configure-customer-managed-key.md
- Service: service-bus-messaging
- GitHub Login: @axisc
- Microsoft Alias: aschhab
DanielLarsenNZ
All 7 comments
@DanielLarsenNZ I believe "data" refers to messages here which are the ones stored in Azure Storage in the Premium Tier. The "entities" are metadata tied to a namespace as ARM resources.
@axisc @spelluru Could you confirm?
PramodValavala-MSFT
on 5 Aug 2020
Please confirm because customer has got error when attempting to add CMK when queues/topics are empty.
DanielLarsenNZ
on 5 Aug 2020
@PramodValavala-MSFT - FYI
While attempting to apply CMK to an existing Service Bus instance we are getting the following error
BadRequest: <Error><Code>400</Code><Detail>Generic: Update to key encryption is not allowed for '<resourcename>'. There are resources already in the namespace.
The Resource is question
- is a 'Premium' Service Bus Namespace
- has 5 Topics
- has atleast 1 subscription per topic
- all topics have 'Zero' messages - and NO Deadletter messages
Have proven it works fine if NO Topics or Queues exist
Can we please get some clarity on what 'data' and\or 'empty namespace' really means. The encryption can only be enabled for new or _empty namespaces_. If the namespace contains _data_, then the encryption operation will fail.
As you pointed out _entities are metadata_ and that is exactly what my understanding was until this error.
Hope this helps explain the ambiguity
hitsy
on 6 Aug 2020
Thank you @hitsy, @PramodValavala-MSFT I have also just created a new Premium Service Namespace, added one queue, have not sent any messages. Then when attempting to enable CMK I get this error:
<Error><Code>400</Code><Detail>Generic: Update to key encryption is not allowed for 'hellocmk'.
There are resources already in the namespace. TrackingId:f930d37e-9fa1-4f47-b38b-5f433566c1df_M7SN1_G5S1,
SystemTracker:hellocmk.servicebus.windows.net:$tenants/hellocmk, Timestamp:2020-08-05T22:00:13</Detail></Error>
CorrelationId: 12f10af8-2b4f-4833-9e8c-01d336f3fcaa
I deleted the Queue and was able to enable CMK after that.
DanielLarsenNZ
on 6 Aug 2020
@DanielLarsenNZ @hitsy Apologies for the long wait but I can now confirm that this is the expected behavior. As you have already observed, the namespace either must be new or empty for CMK to be enabled. So, any entities present will block this operation.
We will work up a PR to update the docs accordingly.
PramodValavala-MSFT
on 10 Aug 2020
We have worked up a PR to address this, which once merged should reflect in a couple of hours.
We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.
PramodValavala-MSFT
on 10 Aug 2020
Related issues
jharbieh
·
3Comments
monteledwards
·
3Comments
bdcoder2
·
3Comments
DeepPuddles
·
3Comments
jebeld17
·
3Comments
Most helpful comment
We have worked up a PR to address this, which once merged should reflect in a couple of hours.
We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.