json - Azure 缺少为此存储帐户启用 EncryptionAtRest/客户托管密钥的先决条件
问题描述
我正在处理这个项目,我想使用一个 azure json 模板来创建一个存储帐户、Keyvault 和一个密钥,并使用这个密钥加密存储帐户。
到目前为止,我有这个代码:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the key vault to be created."
}
},
"skuName": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Premium"
],
"metadata": {
"description": "The SKU of the vault to be created."
}
},
"keyName": {
"type": "string",
"metadata": {
"description": "The name of the key to be created."
}
},
"keyType": {
"type": "string",
"metadata": {
"description": "The JsonWebKeyType of the key to be created."
}
},
"keyOps": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "The permitted JSON web key operations of the key to be created."
}
},
"keySize": {
"type": "int",
"defaultValue": 2048,
"metadata": {
"description": "The size in bits of the key to be created."
}
},
"curveName": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The JsonWebKeyCurveName of the key to be created."
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
}
},
"objectId": {
"type": "string",
"defaultValue": "<My-Account-Object-Id",
"metadata": {
"description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
}
},
"secretsPermissions": {
"type": "array",
"defaultValue": [
"list",
"get"
],
"metadata": {
"description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
}
},
"keyPermissions": {
"type": "array",
"defaultValue": [
"list",
"get"
],
"metadata": {
"description": "Specifies the permissions to key in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
}
},
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type"
}
},
"storageName": {
"type": "string",
"metadata": {
"description": "The name of the storage account"
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"name": "[parameters('vaultName')]",
"location": "[resourceGroup().location]",
"properties": {
"enableRbacAuthorization": false,
"enableSoftDelete": true,
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[parameters('objectId')]",
"permissions": {
"secrets": "[parameters('secretsPermissions')]",
"keys": "[parameters('keyPermissions')]"
}
}
],
"sku": {
"name": "[parameters('skuName')]",
"family": "A"
},
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
},
{
"type": "Microsoft.KeyVault/vaults/Keys",
"apiVersion": "2019-09-01",
"name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]",
"location": "[resourceGroup().location]",
"properties": {
"kty": "[parameters('keyType')]",
"keyOps": "[parameters('keyOps')]",
"keySize": "[parameters('keySize')]",
"curveName": "[parameters('curveName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "StorageV2",
"properties": {
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults',parameters('vaultName')),'2016-10-01', 'full').properties.vaultUri]",
"keyname": "[parameters('keyName')]",
"keyversion": ""
},
"services": {
"blob": {"enabled": true},
"file": {"enabled": true}
}
}
}
}
],
"outputs": {
"proxyKey": {
"type": "object",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]"
}
}
}
当我运行代码时,出现以下错误:
Deployment failed. Correlation ID: f0636fa8-60f5-42d9-a47d-856438e51282. {
"error": {
"code": "FeatureNotSupportedForAccount",
"message": "Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account. For more information, see - https://aka.ms/storagecmkconfiguration"
}
}
我找不到任何解决方案来帮助我解决这个问题。请如果有人可以帮助我,我将不胜感激。
解决方案
您的 Key Vault 必须启用清除保护:
...
"enableSoftDelete": true,
"enablePurgeProtection": true`
...
推荐阅读
- python - Flask-talisman 似乎打破了任何内联样式。覆盖它的最佳方法是什么?
- angular - 在 AGM 中使用经纬度获取 PlaceId
- javascript - 与网络套接字反应导致昂贵的重新渲染
- python - 如果我订阅特定主题,如何创建演员?
- php - 如何使用序列化对象让 Atom 的 Serenata 自动完成/转到定义等
- javascript - Vue js中IE 11中的参数无效
- python - apache-airflow:通道 3:打开失败:连接失败:连接被拒绝
- node.js - 模型“Register”的路径“_id”处值“{ _id: \' 5d41e769277c0c2ab42d2f8b\' }”的值转换为 ObjectId 失败
- javascript - 当另一个类进入视口时添加类 - 处理测试而不是 wordpress
- python-3.x - Modbus 无法从 epever tracer 1210a 读取数据到树莓派