question

26570489 avatar image
0 Votes"
26570489 asked shashishailaj edited

No Permission to copy keys when using RBAC to replicate between sites

Hi!
I am trying to copy keys from one vault to an other to be able to decrypt disks in case we need to use site recover.
I am using the following method
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms
but I can´t set permission according to the guide since we are using RBAC.
I am able to authenticate and choose what servers and what vault the keys should be move from and to.


My account have the Key vault administrator role on both vaults, but when I run copy-keys.ps1 I get the following error

User with user id: XXX does not have access to the key vault XXX. Permitted object ids include - XXX

azure-key-vaultazure-site-recoveryazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
1 Vote"
sikumars answered

Hello @26570489,

Thanks for reaching out.

I digged into this issue and found that CopyKeys script completely relay on set-AzKeyVaultAccessPolicy cmdlet which belong to Access policy model since above error is expected when we use Azure Key Vault with Azure RBAC permission model instead Access policy model.

Here is similar issue reported at GitHub : https://github.com/MicrosoftDocs/azure-docs/issues/78351

Just wondering when you try with account which has Key vault administrator role along with Key Vault Contributor role. Please let us know outcome. Thanks !

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

26570489 avatar image
0 Votes"
26570489 answered sikumars commented

Hi! @sikumars-msft
Thanks for answering.

With both roles Key vault administrator role and Key Vault Contributor I still get the same error unfortunately



Starting CopyKeys for UserId: XXX, UserPrincipalName: XXX


WARNING: CopyKeys not completed for XXX - XXX_OsDisk_1_XXX



CopyKeys failed for XXX - XXX_OsDisk_1_XXX with -

User with user id: XXX does not have access to the key vault XXX. Permitted obje
ct ids include - XXX.
At C:\Users\User\Desktop\keys.ps1:1569 char:5
+ throw [Errors]::UserMissingAccess($UserId, $KeyVaultName, $Access ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (User with user ...4-49166cc63316.:String) [], RuntimeException
+ FullyQualifiedErrorId : User with user id: XXX does not have access to the key vault XXX. Permitted object ids include - XXX



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the update.

This issue has been reported to Azure site recovery team, meanwhile you can track the issue from GitHub : https://github.com/MicrosoftDocs/azure-docs/issues/78351 . Thanks.

I would request you to "Accept the answer" so that this will help us and others in the community as well.

0 Votes 0 ·
sikumars avatar image
1 Vote"
sikumars answered

Hello @26570489,

This issue has been reported to Azure site recovery team, meanwhile you can track the issue from GitHub : https://github.com/MicrosoftDocs/azure-docs/issues/78351 . Thanks.

I would request you to "Accept the answer" so that this will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.