I have got a synapse workspace bicep code below, trying to add double encryption but currently faced with the error below.
key: {
name: 'default'
keyVaultUrl: 'https://my-kv.vault.azure.net/keys/key-name'
}
Could not perform a 'Get' operation on the workspace encryption key. Make sure that the secret identifier is a valid key url and the workspace Managed Identity has 'Get', 'WrapKey' and 'UnwrapKey' access to the KeyVault through the KeyVault's Access Policies or through RBAC. (Code: CustomerManagedKeyPermissionMissing)
Checked the managed identity, granted key vault administrator role as well as the Key Vault Crypto User role. Unsure as to what the issue could be and whether what i am trying to achieve is actually possible.
Reading the page here https://learn.microsoft.com/en-us/answers/questions/729412/arm-deployment-of-synapse-analytics-with-cmk suggests that when behind a firewall, this may not work. In my case, the environment is all behind a private endpoint.
resource create_synapse_workspace 'Microsoft.Synapse/workspaces@2021-06-01' = {
name: synapse_workspace_name
location: location
tags: my_tags
identity: {
type: 'SystemAssigned,UserAssigned'
userAssignedIdentities: {
'${synapse_identity.id}': {}
}
}
properties: {
defaultDataLakeStorage: {
createManagedPrivateEndpoint: false
accountUrl: accountURL
filesystem: filesystem
}
// encryption: {}
encryption: {
cmk: {
kekIdentity: {
userAssignedIdentity: mi
useSystemAssignedIdentity: false
}
key: {
name: 'default'
keyVaultUrl: 'https://my-kv.vault.azure.net/keys/key-name'
}
}
}
managedVirtualNetwork: 'default'
managedResourceGroupName: null
sqlAdministratorLogin: adminaccount
sqlAdministratorLoginPassword: adminpassword
privateEndpointConnections: [
]
managedVirtualNetworkSettings: {
preventDataExfiltration: false
}
workspaceRepositoryConfiguration: {
accountName: account_name
collaborationBranch: branch
repositoryName: repo
rootFolder: folder
type: type
}
trustedServiceBypassEnabled: false
publicNetworkAccess: 'Disabled'
}
}