I was working on a task to encrypt the azure storage account using the customer managed keys using key vault.
attached arm template, change the parameter values
Parameters
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyName": {
"type": "string",
"defaultValue": "keyname"
},
"keyvaultName": {
"type": "string",
"defaultValue": "key vault name"
},
"keyVersion": {
"type": "string",
"defaultValue": ""
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"strgacct": {
"type": "string",
"defaultValue": "storage account name"
},
"attributes": {
"type": "object",
"defaultValue": {},
"metadata": {
"description": "The attributes of a key managed by the key vault service."
}
}
"crv": {
"type": "string",
"defaultValue": "",
"allowedValues": [
"",
"P-256",
"P-256K",
"P-384",
"P-521"
],
"metadata": {
"description": "Elliptic curve name."
}
},
"key_ops": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "JSON web key operations. Operations include: 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'"
}
},
"key_size": {
"type": "int",
"defaultValue": 4096,
"metadata": {
"description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA."
}
},
"kty": {
"type": "string",
"defaultValue": "RSA",
"allowedValues": [
"EC",
"EC-HSM",
"RSA",
"RSA-HSM"
],
"metadata": {
"description": "The type of key to create"
}
},
"tags": {
"type": "object",
"defaultValue": {},
"metadata": {
"description": "Tags to be assigned to the Key."
}
}
},
"resources": []
}
next we will start creating the resources we needed:
- Storage Account
- Key vault
- Keys
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"name": "[parameters('strgacct')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"supportsHttpsTrafficOnly": false
},
"dependsOn": []
},
{
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('keyvaultName')]",
"apiVersion": "2016-10-01",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantid]",
"accessPolicies": [],
"enabledForDeployment":false,
"enabledForDiskEncryption":false,
"enabledForTemplateDeployment":true,
"enableSoftDelete":true,
"enablePurgeProtection": true
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]"
]
},
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2019-09-01",
"name": "[concat(parameters('keyvaultname'), '/', parameters('keyName'))]",
"properties": {
"attributes": "[parameters('attributes')]",
"crv": "[parameters('crv')]",
"kty": "[parameters('kty')]",
"key_ops": "[parameters('key_ops')]",
"key_size": "[parameters('key_size')]"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]",
"[resourceId('Microsoft.KeyVault/vaults/', parameters('keyvaultname'))]"
]
}
]
after this we need to use Nested template to update storage account to encrypte storage using key vault keys
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-07-01",
"name": "updateStorageAccount",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "0.1.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyvaultname'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantid]",
"objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct')),'2019-06-01', 'full').identity.principalId]",
"permissions": {
"keys": [
"wrapkey",
"unwrapkey",
"get"
],
"secrets": [],
"certificates": []
}
}
]
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"name": "[parameters('strgacct')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname')),'2016-10-01', 'full').properties.vaultUri]",
"keyname": "[parameters('keyName')]",
"keyversion": "[parameters('keyversion')]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyvaultname'), 'add')]"
]
}
]
}
}
}
and finally the complete arm template will look like this to encrypt storage account with key vault keys
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyName": {
"type": "string",
"defaultValue": "keyname"
},
"keyvaultName": {
"type": "string",
"defaultValue": "key vault name"
},
"keyVersion": {
"type": "string",
"defaultValue": ""
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"strgacct": {
"type": "string",
"defaultValue": "storage account name"
},
"attributes": {
"type": "object",
"defaultValue": {},
"metadata": {
"description": "The attributes of a key managed by the key vault service."
}
}
"crv": {
"type": "string",
"defaultValue": "",
"allowedValues": [
"",
"P-256",
"P-256K",
"P-384",
"P-521"
],
"metadata": {
"description": "Elliptic curve name."
}
},
"key_ops": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "JSON web key operations. Operations include: 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'"
}
},
"key_size": {
"type": "int",
"defaultValue": 4096,
"metadata": {
"description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA."
}
},
"kty": {
"type": "string",
"defaultValue": "RSA",
"allowedValues": [
"EC",
"EC-HSM",
"RSA",
"RSA-HSM"
],
"metadata": {
"description": "The type of key to create"
}
},
"tags": {
"type": "object",
"defaultValue": {},
"metadata": {
"description": "Tags to be assigned to the Key."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"name": "[parameters('strgacct')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"supportsHttpsTrafficOnly": false
},
"dependsOn": []
},
{
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('keyvaultName')]",
"apiVersion": "2016-10-01",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantid]",
"accessPolicies": [],
"enabledForDeployment":false,
"enabledForDiskEncryption":false,
"enabledForTemplateDeployment":true,
"enableSoftDelete":true,
"enablePurgeProtection": true
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]"
]
},
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2019-09-01",
"name": "[concat(parameters('keyvaultname'), '/', parameters('keyName'))]",
"properties": {
"attributes": "[parameters('attributes')]",
"crv": "[parameters('crv')]",
"kty": "[parameters('kty')]",
"key_ops": "[parameters('key_ops')]",
"key_size": "[parameters('key_size')]"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]",
"[resourceId('Microsoft.KeyVault/vaults/', parameters('keyvaultname'))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-07-01",
"name": "updateStorageAccount",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "0.1.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyvaultname'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantid]",
"objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct')),'2019-06-01', 'full').identity.principalId]",
"permissions": {
"keys": [
"wrapkey",
"unwrapkey",
"get"
],
"secrets": [],
"certificates": []
}
}
]
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"name": "[parameters('strgacct')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname')),'2016-10-01', 'full').properties.vaultUri]",
"keyname": "[parameters('keyName')]",
"keyversion": "[parameters('keyversion')]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyvaultname'), 'add')]"
]
}
]
}
}
}
]
}
