Not able to apply CMK encryption to Azure Storage Account through ARM Template

Question

I am trying to attach CMK Encryption with Azure Storage Account through ARM Template but I am getting error as below. Need quick help with it. Able to apply it through portal after Storage Account is created but not able to do via ARM Template while creating Storage Account.

Error- [error]FeatureNotSupportedForAccount: Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account.

ARM:-

"resources": [
{​​​​​​​
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2019-04-01",
  "name": "[variables('storageaccountname')]",
  "location": "[resourceGroup().location]",
  "sku": {​​​​​​​
    "name": "[parameters('storageaccountype')]"
  }​​​​​​​,
  "kind": "[parameters('storagekind')]",
  "properties": {​​​​​​​
    "supportsHttpsTrafficOnly": true,
    "accesstier": "[parameters('accesstier')]",
    "largeFileSharesState": "[parameters('largefilesharesstate')]",
    "allowBlobPublicAccess": false,
    "encryption": {​​​​​​​
      "services": {​​​​​​​
        "file": {​​​​​​​
          "enabled": true
        }​​​​​​​,
        "blob": {​​​​​​​
          "enabled": true
        }​​​​​​​
      }​​​​​​​,
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {​​​​​​​
        "keyvaulturi": "[parameters('kvuri')]",
        "keyname": "[parameters('keyname')]",
        "keyversion": "[parameters('keyversion')]"
      }​​​​​​​
    }​​​​​​​
  }​​​​​​​,
  "tags": {​​​​​​​
    "abcid": "[parameters('abcid')]"
  }​​​​​​​
}​​​​​​​

Answer 1

According to the document, if you want to configure encryption with customer-managed keys stored in Azure key valt, we need to do the following steps

1. Create storage account and Enable Identity

2. Update Azure Key vault. Enable soft delete and purge protection.

3. Configure access policy for the storage account's Identity

4. Configure customer-managed keys for the storage account.

Regarding how to configure these with arm template, please refer to the following template

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "keyName": {
            "type": "string",
            "defaultValue": ""
        },
        "keyVersion": {
            "type": "string",
            "defaultValue": ""
        },
        "vaultName": {
            "defaultValue": "",
            "type": "String"
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]"
        },
        "accountNmae": {
            "type": "string",
            "defaultValue": "tetsdfgfgdffd"
        },
    },
    "variables": {},
    "resources": [{
            "type": "Microsoft.Storage/storageAccounts",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "kind": "Storage",
            "name": "[ parameters('accountNmae')]",
            "apiVersion": "2019-06-01",
            "location": "[ parameters('location')]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "supportsHttpsTrafficOnly": true
            },
            "dependsOn": []
        }, {
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2016-10-01",
            "name": "[parameters('vaultName')]",
            "location": "eastasia",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('accountNmae'))]"
            ],
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[subscription().tenantid]",
                "accessPolicies": [],
                "enabledForDeployment": true,
                "enabledForDiskEncryption": true,
                "enabledForTemplateDeployment": true,
                "enableSoftDelete": true
            }
        }, {

            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2019-07-01",
            "name": "updateStorageAccount",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "0.1.0.0",
                    "resources": [{
                            "type": "Microsoft.KeyVault/vaults/accessPolicies",
                            "name": "[concat(parameters('vaultName'), '/add')]",
                            "apiVersion": "2019-09-01",
                            "properties": {
                                "accessPolicies": [{
                                        "tenantId": "[subscription().tenantid]",
                                        "objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts',  parameters('accountNmae')),'2019-06-01', 'full').identity.principalId]",
                                        "permissions": {
                                            "keys": [
                                                "wrapkey",
                                                "unwrapkey",
                                                "get"
                                            ],
                                            "secrets": [],
                                            "certificates": []
                                        }
                                    }
                                ]
                            }
                        }, {
                            "type": "Microsoft.Storage/storageAccounts",
                            "sku": {
                                "name": "Standard_LRS",
                                "tier": "Standard"
                            },
                            "kind": "Storage",
                            "name": "[parameters('accountNmae')]",
                            "apiVersion": "2019-06-01",
                            "location": "[parameters('location')]",
                            "identity": {
                                "type": "SystemAssigned"
                            },
                            "properties": {
                                "encryption": {
                                    "services": {
                                        "file": {
                                            "enabled": true
                                        },
                                        "blob": {
                                            "enabled": true
                                        }
                                    },
                                    "keySource": "Microsoft.Keyvault",
                                    "keyvaultproperties": {
                                        "keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults',parameters('vaultName')),'2016-10-01', 'full').properties.vaultUri]",
                                        "keyname": "[parameters('keyName')]",
                                        "keyversion": "[parameters('keyversion')]"
                                    }
                                }
                            },
                            "dependsOn": [
                                "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('vaultName'), 'add')]"
                            ]
                        }
                    ]
                }
            }
        }
    ]
}

For more details, please refer to the blog