BillyMichael
Reputation: 115
Azure Vault and VM Disk Encryption 'Access Denied'
I am trying to encrypt a VM using an Azure Vault i have created. I have created an app registration and added it to an access policy.
This access policy has full privileges to the vault.
I have then run the following powershell command to encrypt the VM:
$RGName = “XXXX"
$VMName = “XXXX"
$AADClientID = "7704d32e-acc1-4258-89b9-743f7e28d6f4”
$AADClientSecret = "XXXX”
$VaultName= “XXXX"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
I then get the following error:
Set-AzureRmVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected.
Exception: Access denied, InnerException: , stack trace: at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.UploadBekToKeyVault(EncryptableVolume vol, String protectorId, Boolean saveKeyToBekVolume)
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectorForVolume(EncryptableVolume vol, Boolean saveKeyToBekVolume)
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadOsVolumeProtector()
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption()
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()".'
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. Exception: Access denied, InnerException: , stack trace: at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.UploadBekToKeyVault(EncryptableVolume vol, String protectorId, Boolean saveKeyToBekVolume)
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectorForVolume(EncryptableVolume vol, Boolean saveKeyToBekVolume)
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadOsVolumeProtector()
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption()
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()".
StartTime: 2/4/2018 7:14:08 PM
EndTime: 2/4/2018 7:14:14 PM
OperationID: bbeb1676-a4a1-4473-8051-038f34c2ac69
Status: Failed
At line:1 char:1
+ Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmVMDiskEncryptionExtension], ComputeCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand
Below is the settings for the key vault
Vault Name : XXXX
Resource Group Name : XXXX
Location : uksouth
Resource ID : /subscriptions/XXXX/resourceGroups/XXXX/providers/Microsoft.KeyVault/vaults/XXXX
Vault URI : https://XXXX.vault.azure.net/
Tenant ID : XXXX
SKU : Standard
Enabled For Deployment? : True
Enabled For Template Deployment? : True
Enabled For Disk Encryption? : True
Soft Delete Enabled? :
Access Policies :
Tenant ID : XXXX
Object ID : 5dc9a404-6b67-4529-a722-2d941b439352
Application ID : 7704d32e-acc1-4258-89b9-743f7e28d6f4
Display Name :
Permissions to Keys : Encrypt, Decrypt, WrapKey, UnwrapKey, Sign, Verify, Get, List, Create, Update, Import, Delete, Backup, Restore
Permissions to Secrets : Get, List, Set, Delete
Permissions to Certificates : Get, List, Delete, Create, Import, Update, ManageContacts, GetIssuers, ListIssuers, SetIssuers, DeleteIssuers, ManageIssuers, Recover, Purge
Permissions to (Key Vault Managed) Storage :
I have checked all privileges and everything seems to be fine. Any suggestions on what the error might be or how i could debug it would be very helpful.
Upvotes: 3
Views: 1603
Answers (1)
4c74356b41
Reputation: 72151
You need to enable the KV for disk encryption.
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName –EnabledForDiskEncryption
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the virtual machine when it boots and decrypts the virtual machine OS volume. To grant permissions to Azure platform, set the EnabledForDiskEncryption property in the key vault.
https://learn.microsoft.com/en-us/azure/security/azure-security-disk-encryption#prerequisites
Upvotes: 1
Related Questions
- error while trying to decrypt using azure vault certificate key: "Operation returned an invalid status code 'Forbidden'"
- 403 Forbidden Access, while decrypting using Azure key vault
- Azure Disk Encryption - via Terraform with Key vault - VmExtensionProvisioningError
- Access Denied when accessing Azure Key vault from Azure Functions
- Azure key vault: access denied
- Troubleshooting Keyvault access from Azure VM
- Azure Keyvault: Getting forbidden error if user is having direct access via Group to Key Vault
- azure key vault permisions
- Azure Key-vault Encryption
- Azure Key Vault - Obtaining Encryption Passphrase