I did the following things to create an Azure Data Lake Store account and then try to enable a key vault for it:
New-AzDataLakeStoreAccount -ResourceGroupName TestRG -Name TestDLSA -Location "East US 2"
Enable-AzureRmDataLakeStoreKeyVault -Account TestDLSA
And received the following error:
Enable-AzureRmDataLakeStoreKeyVault : Operation EnableKeyVault is invalid under current encryption state or config of account.
What do I need to do to be able to correctly run Enable-AzureRmDataLakeStoreKeyVault on my Azure Data Lake Store account?
When you creating the dls, you need to pass the parameters as below. Otherwise, it creates the dls with Service managed encryption
, i.e. -Encryption ServiceManaged
.
New-AzDataLakeStoreAccount -ResourceGroupName <RG-name> -Name joydls -Location "East US 2" -Encryption UserManaged -KeyVaultId "<keyvault-resource-id>" -KeyName "testkey" -KeyVersion "444243d9xxxx8db2303d1"
To enable a user managed Key Vault for encryption, the service principal created automatically along with your dls needs the permission to access the key in your keyvault, so we need to configure the access policy for the service principal, run the command below after creating the dls, then it will work fine.
$ObjectId = (Get-AzDataLakeStoreAccount -ResourceGroupName <RG-name> -Name joydls).Identity.PrincipalId
Set-AzKeyVaultAccessPolicy -ResourceGroupName <RG-name> -VaultName joykeyvault -ObjectId $ObjectId -PermissionsToKeys encrypt,decrypt,get
Enable-AzDataLakeStoreKeyVault -Name "joydls"
Check in the portal:
Besides, I notice you are using the new Az
module mixed with the old AzureRm
, please don't do this, sometimes it will cause an error, I recommend you to just use the Az
module Enable-AzDataLakeStoreKeyVault
, because the AzureRm
module has been deprecated and will not be updated.