Search code examples
azurebackup

What are the required permissions for the Azure Backup Service?

I am met with the following error details when investigating why an Azure encrypted VM backup failed, but the link provided with the error (https://learn.microsoft.com/en-in/azure/backup/backup-azure-vms-encryption) doesn't resolve my question: exactly which permissions should I grant? All it says is that "The required permissions are prefilled for Key permissions and Secret permissions." Well, that's not a lot of help! I had those permissions already set as default I thought, because I do have lots of backups/snapshots; obviously backups have been working in the past. If I am missing some permission now, is it a Key permission, or a Secret permission? It's not clear! I do see I have the following set up right now:

Key permissions:

Key Management Operations

  • Get (checked)

  • List (checked)

  • Update
  • Create
  • Import
  • Delete
  • Recover
  • Backup (checked)
  • Restore

Cryptographic Operations:

  • Decrypt

  • Encrypt

  • Unwrap Key

  • Wrap Key

  • Verify

  • Sign

Privileged Key Operations

  • Purge

Secret permissions:

Secret Management Operations

  • Get (checked)

  • List (checked)

  • Set

  • Delete

  • Recover

  • Backup

  • Restore

Privileged Secret Operations

  • Purge

Certificate permissions:

Certificate Management Operations

  • Get

  • List

  • Update
  • Create
  • Import
  • Delete
  • Recover
  • Backup
  • Restore
  • Manage Contacts
  • Manage Certificate Authorities
  • Get Certificate Authorities
  • List Certificate Authorities
  • Set Certificate Authorities
  • Delete Certificate Authorities

Privileged Certificate Operations

  • Purge

Below is the error I see for my backup:

Error Code

UserErrorKeyVaultPermissionsNotConfigured

Error Message

Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines.

Recommended Action

Please grant the required permissions to the Azure Backup Service. Refer https://azure.microsoft.com/en-in/documentation/articles/backup-azure-vms-encryption/

Related Links

https://azure.microsoft.com/en-in/documentation/articles/backup-azure-vms-encryption

Solution

  • Here are the steps I took to correct this via http://portal.azure.com (I realize step 6 might be overkill as the Restore permission might be unnecessary here--but hey, this worked):

    1. Search for "Key vaults".

    2. Click on my key vault.

    3. Click "Access policies".

    4. Click "Backup Management Service".

    5. Click on the Key permissions dropdown and uncheck all checkboxes.

    6. Click on the Secret permissions dropdown and choose the Get, List, Backup, and Restore checkboxes.

    7. Click OK.

    8. Click Save back on the "Access policies" screen.

    The last step above is important as missing it will cause your changes NOT to be saved. I wrote these steps up and followed them as influenced by a statement I found at https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption that says, "If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets." It seems I have BEK--at least that's what my Secret Types are. And indeed, the above worked. The backups began to work again as of July 11th!