I am attempting to create an Azure Container Registry using Bicep. This registry must use Customer Managed Encryption keys. The ACR fails to get created with the encryption enabled.
The keyvault, identity, role assignments, and even the key get created, but it fails to create the Container Registry:
Invalid KeyId ‘/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/mykeyvaultname/keys/key-mycontainerregistry’ specified in encryption property for registry ‘mycontainerregistry’
(Code: IdentitiesClientError)
I’ve double checked that all the params related to the identity that are passed into the ACR module match the identity defined in Azure (Resource ID and Client ID).
This creates the KeyVault
param azureRegion string
param tenantId string
var keyVaultName = 'mykeyvaultname'
@description('Set up a key vault')
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: keyVaultName
location: azureRegion
tags:{
client: 'qPlatform'
dataclassification: 'Confidential'
businesscriticality: 'Mission-critical'
environment: environment
}
properties: {
tenantId: tenantId
sku: {
family: 'A'
name: 'premium'
}
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enabledForDeployment: true
enablePurgeProtection: true
enableSoftDelete: true
enableRbacAuthorization: true
publicNetworkAccess: 'Enabled'
softDeleteRetentionInDays: 90
}
}
output keyVaultName string = keyVault.name
output keyVaultId string = keyVault.id
We have a user assigned identity that we assign the keyvault permissions to
param containerRegistryManagedIdentityName string
param keyVaultName string
@description('Get the existing KeyVault reference')
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
@description('This is the built-in Key Vault Crypto User User role.')
resource keyVaultCryptoUserRoleRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
scope: subscription()
name: '12338af0-0e69-4776-bea7-57ae8d297424'
}
@description('Get the existing managed identity for the container registry')
resource containerRegistryManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
name: containerRegistryManagedIdentityName
scope: resourceGroup()
}
@description('Grant the container registry identity with key vault crypto user role permissions over the key vault.')
resource storageKeyVaultCryptoUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: keyVault
name: guid(keyVault.id, containerRegistryManagedIdentity.id, keyVaultCryptoUserRoleRoleDefinition.id)
properties: {
roleDefinitionId: keyVaultCryptoUserRoleRoleDefinition.id
principalId: containerRegistryManagedIdentity.properties.principalId
}
}
This is the container definition where we create the encryption key on the vault and use the user assigned identity
param environment string
param azureRegion string
param sku string = 'Premium'
param keyVaultName string
param identityClientId string
param identityId string
var name = 'mycontainerregistry'
resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
name: keyVaultName
}
var keyName = 'key-${name}'
resource key 'Microsoft.KeyVault/vaults/keys@2019-09-01' = {
name: keyName
parent: keyVault
properties: {
attributes: {
enabled: true
}
keySize: 2048
kty: 'RSA'
}
}
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
name: name
location: azureRegion
tags:{
client: 'qPlatform'
dataclassification: 'Confidential'
businesscriticality: 'High'
environment: environment
}
sku: {
name: sku
}
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identityId}':{}
}
}
properties: {
adminUserEnabled: true
encryption: {
keyVaultProperties: {
identity: identityClientId
keyIdentifier: key.id
}
status: 'enabled'
}
}
}
New contributor
Kieran-GenIq is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.