Unable to create an index/synonym map in Azure Cognitive Search with "Customer" managed encryption key option
I am trying to create an index/synonym map with encryption using "Customer" managed key option however I am not able to do so.
I am constantly getting the following error back from the service:
Failed to verify account key (HTTP Status Code: 403).
Here's what my request body for synonym map looks like:
{
"name":"test",
"format":"solr",
"synonyms":"",
"encryptionKey":
{
"keyVaultKeyName":"AzSearchKey2",
"keyVaultKeyVersion":"02cc721e41654f079c173744313f24b0",
"keyVaultUri":"https://mykeyvault.vault.azure.net"
}
}
I have completely followed the instructions specified here: https://learn.microsoft.com/en-gb/azure/search/search-security-manage-encryption-keys.
Here's what I have done so far:
I created a search service with "Basic" SKU (as this functionality is not available in "Free" tier).
I went to the "Identity" section of my search service and assigned that as managed identity.
- I created a brand new Key Vault with "Standard" tier and defined an access policy for the above mentioned identity. I granted necessary "Key" permissions ("Get", "Wrap Key", "Unwrap Key") as mentioned in the documentation link above to the Search Service. This Key Vault is in the same region and resource group as that of the Search Service. Key vault also has "Soft Delete" and "Purge Protection" enabled.
- I created a key and copied down the details (URI, key name and key version).
I believe I am doing everything that is mentioned in the documentation so I am not sure what am I doing wrong.
Interesting thing is that I was able to do this without any problem yesterday with another search service and key vault.
My guess is that I am missing some minor detail. Would appreciate if someone could point it out for me.
UPDATE
Big thanks to Cognitive Search team for working with me on this. The error message I am getting is because of an issue with the code (I was returning a standard message whenever the service returned 403 status code).
The service is still returning the error. The actual error message returned by the service is:
Could not use key vault key https://mykeyvault.vault.azure.net:443/keys/AzSearchKey2/02cc721e41654f079c173744313f24b0
to wrap/unwrap the encryption key. The key vault key deletion-recovery level is insufficient.
Soft-Delete and Purge Protection must be enabled on Key vault, see: https://aka.ms/key-vault-soft-delete
After following up privately with Gaurav, we came to the conclusion that it was due to the key retention period being too short (7 days retention instead of 90 days). We just updated the product code to support shorter retention periods (down to 7 days), and the patch will be deployed globally in the upcoming weeks. In the meantime, if you hit the same issue, please update your key retention policy to 90 days. You can recognize this error state if you receive the following message from Azure Search when creating an encrypted index or synonym map:
DataPlaneApiException : Could not use key vault key (YOUR_KEY_URL) to wrap/unwrap the encryption key. The key vault key deletion-recovery level is insufficient. Soft-Delete and Purge Protection must be enabled on Key vault, see: https://aka.ms/key-vault-soft-delete.
Thank you
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- "We're sorry, your sql database is unavailable" What does this mean exactly in Azure SQL?
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Migrating from validate-jwt to validate-azure-ad-token policy
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- How to Add JVM Arguments in Azure Application Service?
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Query all Azure WAF rules using Azure Resource Graph Explorer
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM