question

MariaLee-4338 avatar image
0 Votes"
MariaLee-4338 asked JamesTran-MSFT answered

Unexpected Error Occurred when Restoring Backup of Secret in Azure Key Vault

Hi there, recently we tried migrating the contents of an Azure Key Vault following the steps provided here: https://docs.microsoft.com/en-us/azure/key-vault/general/move-region. We utilized Option (2) and downloaded all the keys/secrets/certificates successfully and managed to re-upload them to a new target Key Vault.

However, when we tried replicating the same steps in Production, we encountered a new error as shown below:
88158-image.png



Are there any ways to troubleshoot this error message and continue the Key Vault Migration? Thanks!

azure-key-vault
image.png (12.2 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MariaLee-4338
Thank you for your post!

Based off the error message, it looks like the secret backup file is malformed.

  • Are you able to redownload the secret from the original Key Vault, and upload it to the new target Key Vault?

  • Is this happening to all your keys/secrets within your Production environment?


If you'd like to work closely with our support team on this issue, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

HI James,

Thanks for your response! To answer your questions, the problem was happening to all keys and secrets in Production and I could not restore any backups.

I have managed to work around the issue thus far by manually noting down the contents of each key/secret/certificate in the source Key Vault, creating a new target Key Vault, and recreating all the content by manually re-typing the names and values of each key/secret/certificate in the target KeyVault. However, the KeyVault is used as a Linked Service to ADF and while maintaining the names and values still work for now (I can still connect ADF to AKV by changing the base linked service URL), I have concerns if there might be problems down the line in maintaining connections to the new Key Vault using this approach as the secret identifier and versions are different.

Could you let me know if there are any concerns or chances that a sudden loss of connection might occur? Thanks!

0 Votes 0 ·

@MariaLee-4338
Thank you for the detailed and quick response!

Since our documentation recommends downloading the keys/secrets/certificates, and you're manually copying down/creating new keys/secrets/certificates with these values, I'll confirm with our AKV team if there might be any issues regarding this in the future.


If you have any other questions in the meantime, please let me know.
Thank you for your time and patience throughout this issue.

1 Vote 1 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@MariaLee-4338
Thank you for your time and patience throughout this issue! I reached out to our AKV SMEs and will post their update below.


When it comes to the backup/restore operation not working, this could be because - When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. For more info - Design considerations

The version change is expected as you're creating new secrets hence new GUIDs. This will only affect the caller (ADF) if it has references using the secret's versions specific GUIDs, but if it's using just the name as reference then there should be no issues.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.