question

Amjadnagori-3172 avatar image
0 Votes"
Amjadnagori-3172 asked ValentineMasina-5471 answered

Getting "Caller needs data action" while enabling Azure Disk Encryption on Windows VM.

Hello All,

I am getting below error while trying to enable Azure Disk Encryption for my VM. I tried with recreating VM and Key Vault both but still getting same issue.

I do have full rights in Key Vault access policy and its also enabled for Azure VM Encryption, still getting this error.

136264-image.png


azure-virtual-machinesazure-key-vaultazure-disk-encryption
image.png (191.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you please confirm that you have been assigned the role as "Owner" for the subscription you are using? Let me know and I can further investigate. Thanks.

0 Votes 0 ·
TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered

This error is most likely an issue with your permissions as stated. Key Vault permissions are strange, as there are roles that will allow you to create and delete Key Vaults, but not access the keys inside of them.

The error you are getting is on listing the keys inside of a Key Vault, so it sounds like this is the case. Try adding yourself tp the roles of "Key Vault Reader" and "Key Vault Administrator" to your Key Vault and try this again.

If that does not work, the next step will be to work with support.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

karishmatiwari-msft avatar image
0 Votes"
karishmatiwari-msft answered

Can you please confirm that you have been assigned the role as "Owner" for the subscription you are using?

We have seen this issue occur when the user have 'Service Administrator' role instead of 'Owner' role. Unfortunately Service Administrator role role does not support changing permission model as mentioned in the below document:
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Let me know and if this is not the reason, I can further investigate. Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ValentineMasina-5471 avatar image
0 Votes"
ValentineMasina-5471 answered

Thanks to karishmatiwari for the heass up. Please pass these to the Azure design team. Why are we by default only service administrators on the keyvault service? Owner role by default makes senses because all keyvault permissions are needed by the one who creates the service especially if you are the account owner.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.