Feature: Storage Account Creation with Encryption using Customer Managed Keys

[ravichaudhary11]

I am trying to create storage account that uses customer-managed keys for encryption. Azure-Service Operator V2.7.0.

apiVersion: storage.azure.com/v1api20230101
kind: StorageAccount
metadata:
  name: standardcmk
  namespace: test
spec:
  azureName: clusterstandardcmk
  originalVersion: v1api20230101
  accessTier: Hot
  publicNetworkAccess: Disabled
  allowBlobPublicAccess: false
  location: westeurope
  kind: StorageV2
  sku:
   name: Standard_LRS
  owner:
    armId: /subscriptions/SUB_ID/resourceGroups/my-rg
  identity:
    type: UserAssigned
    principalId: Prinicpal_ID
    tenandId: Tenand-ID
    userAssignedIdentity: /subscriptions/SUB-ID/resourcegroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tst-identity
  encryption:
    keySource: Microsoft.Keyvault
    keyvaultproperties:
      keyvaulturi: https://vault_url
      keyname: ts-key-cmk
      keyversion: 9f56363yfhioh947990
    services:
      blob:
        keyType: Account
        enabled: true

EXPECTED Behaviour
Account should get created with CMK

Error
Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account. For more information, see - https://aka.ms/storagecmkconfiguration

RESPONSE 409: 409 Conflict
ERROR CODE: FeatureNotSupportedForAccount

[matthchr]

Using customer-managed keys with Azure Storage encryption requires that both soft delete and purge protection be enabled for the key vault.

From the referenced aka.ms link, does your KeyVault have the correct configuration as per the requirements from storage?

[ravichaudhary11]

Yes Both settings are enabled.

[matthchr]

have you also performed the required identity steps documented here?

It may be worth raising a support ticket on the StorageAccount. ASO is just sending this request to Azure and it is the Azure Storage service which is rejecting the request with an error. Unfortunately the error says "you must meet these prerequisites" but there are 4-5 different ones and it's not clear which one(s) you haven't satisfied.

Alternatively you can look at this ARM template example for storage accounts + CMK - you should be able to translate most/all of that into ASO resources. Possibly something in that template will jump you at you that you have not yet done via ASO.

[ravichaudhary11]

Yes i granted this mentioned role "Key Vault Crypto Service Encryption User"to userassignedidentity on keyvault.
And keyvault have soft-delete enabled, purge-protection enabled.

So above three conditions are satisfied. do you have other pre-requisites as well i see in the document these 3 are mentioned and satisfied.
If there are other then please mention here.

[matthchr]

We're not sure what option you don't have set, but the storage API is rejecting the request because of the KeyVault configuration.

As mentioned above, recommend raising a support ticket for the StorageAccount and asking the support engineer to check which option is not configured correctly on the KeyVault.