Can't enable encryption using Customer Managed Key

[Pavkum007]

I can't enable encryption using Customer Managed Key.

the following resources are created :

1. User Assigned managed identity
2. Azure KeyVault with a RSA key added

the identity is assigned Contributor on subscription and KeyVault Crypto Officer and KeyVault Crypto Encryption User Roles on the KeyVault.

Now I am trying to create App Configuration from azure portal. When I enable "Customer Managed Key" in the Encryption tab. Select the Identity, Keyvault and the key - I get the following error on the screen - The selected identity must have “get”, “wrapKey” and “unwrapKey” permissions on the managed key.

I am not sure what the issue is here. Can you please help

[Pavkum007]

Hi Team, can you please help here?

[juniwang]

Hi @Pavkum007, thanks for reaching out. We're aware of this issue and are currently working to reproduce and identify the root cause. We'll keep you updated.

[jiayi11]

Hi @Pavkum007, thanks for reporting this issue. This is a code defect in the portal, the fix of this issue will be deployed in the next round of release in the next few weeks. I'll let you know as soon as I have a more specific date.
In the meanwhile, as a workaround, could you try to create the store first without enabling encryption, and then enable it from "Encryption" blade of the store?

[Pavkum007]

Hello @jiayi11 I tried enabling Encryption - post the creation of App config store on portal. But it expects System Assigned Identity / User Assigned Identity to be enabled/added for the App config store and only then Encryption can be enabled. I did this, and was able to enable encryption.

Is this the case always that - to enable encryption - System/User assigned Identity should be enabled as pre-req?

How does the flow look like when enabling encyrption while creating the app config store (instead of post creation).

Because this similar behavior needs to be incorporated if users are creating app config store via Terraform,Bicep etc..

[jiayi11]

@Pavkum007 Are you going to use system assigned or user assigned identity to enable encryption? Enabling encryption requires identity's ClientId and key vault's KeyId If you're going to use a user assigned identity, assigning the identity to the store is not a pre-req, you can add it to the store and use its clientId to enable encryption in the same request or within the same deployment template to create the store (that's how portal create store flow works). But if you need to use a system assigned identity, creating the system assigned identity would be a pre-req, as you will need to create it to get the clientId before use it for encryption.

[Pavkum007]

I am using user assigned identity. Thank you @jiayi11 for the explanation. Got it working via Terraform, ARM template.

Will keep this thread open for updates on the bug fix on portal.