无法通过 ARM 模板将 CMK 加密应用于 Azure 存储帐户
Posted
技术标签:
【中文标题】无法通过 ARM 模板将 CMK 加密应用于 Azure 存储帐户【英文标题】:Not able to apply CMK encryption to Azure Storage Account through ARM Template 【发布时间】:2021-03-12 10:26:57 【问题描述】:我正在尝试通过 ARM 模板将 CMK 加密与 Azure 存储帐户附加,但出现如下错误。需要快速帮助。可以在创建存储帐户后通过门户应用它,但在创建存储帐户时无法通过 ARM 模板进行。
错误- [错误]FeatureNotSupportedForAccount:缺少为此存储帐户启用 EncryptionAtRest/客户托管密钥的先决条件。
ARM:-
"resources": [
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageaccountname')]",
"location": "[resourceGroup().location]",
"sku":
"name": "[parameters('storageaccountype')]"
,
"kind": "[parameters('storagekind')]",
"properties":
"supportsHttpsTrafficOnly": true,
"accesstier": "[parameters('accesstier')]",
"largeFileSharesState": "[parameters('largefilesharesstate')]",
"allowBlobPublicAccess": false,
"encryption":
"services":
"file":
"enabled": true
,
"blob":
"enabled": true
,
"keySource": "Microsoft.Keyvault",
"keyvaultproperties":
"keyvaulturi": "[parameters('kvuri')]",
"keyname": "[parameters('keyname')]",
"keyversion": "[parameters('keyversion')]"
,
"tags":
"abcid": "[parameters('abcid')]"
【问题讨论】:
请尝试使用Microsoft.Storage/storageAccounts/encryptionScopes
。
谢谢,但请多解释一下:)
嗨。我犯了一个错误。根据错误,您似乎尚未注册该功能。你能检查一下吗?更多详情请参考docs.microsoft.com/en-us/azure/storage/common/…
是的,我看过那个链接。但是在自动化之前是否必须注册,就像在 SA 上手动操作一样,它不是必需的。是这样吗 ?更重要的是,该链接解释了表和队列。 Blob 和文件呢?需要注册吗?
没有。如果您想使用该功能,我们必须这样做。 Azure blob 和 File 不应该这样做。更多详情请参考docs.microsoft.com/en-us/azure/storage/common/…
【参考方案1】:
根据document,如果您想使用存储在 Azure key valt 中的客户管理的密钥配置加密,我们需要执行以下步骤
创建存储帐户并启用身份
更新 Azure 密钥保管库。启用软删除和清除保护。
为存储帐户的身份配置访问策略
为存储帐户配置客户管理的密钥。
关于如何使用arm模板配置这些,请参考以下模板
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":
"keyName":
"type": "string",
"defaultValue": ""
,
"keyVersion":
"type": "string",
"defaultValue": ""
,
"vaultName":
"defaultValue": "",
"type": "String"
,
"location":
"type": "string",
"defaultValue": "[resourceGroup().location]"
,
"accountNmae":
"type": "string",
"defaultValue": "tetsdfgfgdffd"
,
,
"variables": ,
"resources": [
"type": "Microsoft.Storage/storageAccounts",
"sku":
"name": "Standard_LRS",
"tier": "Standard"
,
"kind": "Storage",
"name": "[ parameters('accountNmae')]",
"apiVersion": "2019-06-01",
"location": "[ parameters('location')]",
"identity":
"type": "SystemAssigned"
,
"properties":
"supportsHttpsTrafficOnly": true
,
"dependsOn": []
,
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaultName')]",
"location": "eastasia",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('accountNmae'))]"
],
"properties":
"sku":
"family": "A",
"name": "Standard"
,
"tenantId": "[subscription().tenantid]",
"accessPolicies": [],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true
,
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-07-01",
"name": "updateStorageAccount",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
],
"properties":
"mode": "Incremental",
"template":
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "0.1.0.0",
"resources": [
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties":
"accessPolicies": [
"tenantId": "[subscription().tenantid]",
"objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('accountNmae')),'2019-06-01', 'full').identity.principalId]",
"permissions":
"keys": [
"wrapkey",
"unwrapkey",
"get"
],
"secrets": [],
"certificates": []
]
,
"type": "Microsoft.Storage/storageAccounts",
"sku":
"name": "Standard_LRS",
"tier": "Standard"
,
"kind": "Storage",
"name": "[parameters('accountNmae')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"identity":
"type": "SystemAssigned"
,
"properties":
"encryption":
"services":
"file":
"enabled": true
,
"blob":
"enabled": true
,
"keySource": "Microsoft.Keyvault",
"keyvaultproperties":
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults',parameters('vaultName')),'2016-10-01', 'full').properties.vaultUri]",
"keyname": "[parameters('keyName')]",
"keyversion": "[parameters('keyversion')]"
,
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('vaultName'), 'add')]"
]
]
]
更多详情请参考blog
【讨论】:
是的,它是真的..几乎通过 PS 做了同样的事情。我事先有 KV、Keys。 @Chaitanya 您还有其他顾虑吗?如果你没有,你能接受它作为答案吗? 但是为什么我仍然不知道为什么会收到原始错误消息...我昨天提到的博客,它要求运行 ARM 两次,而我需要在第一次运行时全部运行只有.. @Chaitanya 关于错误,在arm模板中,我们无法启用存储中的身份并配置身份的访问策略。我们需要启用身份配置访问策略,然后我们可以在模板中启用 cmk。 @JimXu 是密钥版本,是 ARM 模板的密钥库属性中的必填参数,我可以将其硬编码为模板中密钥的最新版本。我试图删除版本并运行它会引发错误。以上是关于无法通过 ARM 模板将 CMK 加密应用于 Azure 存储帐户的主要内容,如果未能解决你的问题,请参考以下文章