I am trying to attach CMK Encryption with Azure Storage Account through ARM Template but I am getting error as below. Need quick help with it. Able to apply it through portal after Storage Account is created but not able to do via ARM Template while creating Storage Account.
Error- [error]FeatureNotSupportedForAccount: Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account.
ARM:-
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageaccountname')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "[parameters('storageaccountype')]"
},
"kind": "[parameters('storagekind')]",
"properties": {
"supportsHttpsTrafficOnly": true,
"accesstier": "[parameters('accesstier')]",
"largeFileSharesState": "[parameters('largefilesharesstate')]",
"allowBlobPublicAccess": false,
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyvaulturi": "[parameters('kvuri')]",
"keyname": "[parameters('keyname')]",
"keyversion": "[parameters('keyversion')]"
}
}
},
"tags": {
"abcid": "[parameters('abcid')]"
}
}
According to the document, if you want to configure encryption with customer-managed keys stored in Azure key valt, we need to do the following steps
Create storage account and Enable Identity
Update Azure Key vault. Enable soft delete and purge protection.
Configure access policy for the storage account's Identity
Configure customer-managed keys for the storage account.
Regarding how to configure these with arm template, please refer to the following template
For more details, please refer to the blog