You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article describes how to identify and resolve Azure Key Vault key access issues that caused a database configured to use [transparent data encryption (TDE) with customer-managed keys in Azure Key Vault](/azure/sql-database/transparent-data-encryption-byok-azure-sql) to become inaccessible.
23
23
24
24
## Introduction
25
-
When TDE is configured to use a customer-managed key in Azure Key Vault, continuous access to this TDE Protector is required for the database to stay online. If the logical SQL server loses access to the customer-managed TDE protector in Azure Key Vault, a database will start denying all connections with the appropriate error message and change its state to *Inaccessible* in the Azure portal.
25
+
When TDE is configured to use a customer-managed key in Azure Key Vault, continuous access to this TDE Protector is required for the database to stay online. If the logical SQL server or managed instance loses access to the customer-managed TDE protector in Azure Key Vault, a database will start denying all connections with the appropriate error message and change its state to *Inaccessible* in the Azure portal.
26
26
27
-
For the first 8 hours, if the underlying Azure key vault key access issue is resolved, the database will auto-heal and come online automatically. This means that for all intermittent and temporary network outage scenarios, no user action is required, and the database will come online automatically. In most cases, user action is required to resolve the underlying key vault key access issue.
27
+
For the first 30 minutes, if the underlying Azure key vault key access issue is resolved, the database will auto-heal and come online automatically. This means that for all intermittent and temporary network outage scenarios, no user action is required, and the database will come online automatically. In most cases, user action is required to resolve the underlying key vault key access issue.
28
28
29
29
If an inaccessible database is no longer needed, it can be deleted immediately to stop incurring costs. All other actions on the database are not permitted until access to the Azure key vault key has been restored and the database is back online. Changing the TDE option from customer-managed to service-managed keys on the server is also not possible while a database encrypted with customer-managed keys is inaccessible. This is necessary to protect the data from unauthorized access while permissions to the TDE Protector have been revoked.
30
30
31
-
After a database has been inaccessible for more than 8 hours, it will no longer auto-heal. If the required Azure key vault key access has been restored after that period, you must re-validate the access to the key manually, to bring the database back online. Bringing the database back online in this case can take a significant amount of time depending on the size of the database. Once the database is back online, previously configured settings such as [failover group](/azure/sql-database/sql-database-auto-failover-group), PITR history, and any tags **will be lost**. Therefore, we recommend implementing a notification system using [Action Groups](/azure/azure-monitor/platform/action-groups) that allows to become aware of and address the underlying key vault key access issues as soon as possible.
31
+
After a database has been inaccessible for more than 30 minutes, it will no longer auto-heal. If the required Azure key vault key access has been restored after that period, you must re-validate the access to the key manually, to bring the database back online. Bringing the database back online in this case can take a significant amount of time depending on the size of the database. Once the database is back online, previously configured settings such as [failover group](/azure/sql-database/sql-database-auto-failover-group), PITR history, and any tags **will be lost**. Therefore, we recommend implementing a notification system using [Action Groups](/azure/azure-monitor/platform/action-groups) that allows to become aware of and address the underlying key vault key access issues as soon as possible.
32
32
33
33
## Common errors causing databases to become inaccessible
34
34
@@ -43,10 +43,10 @@ Most issues that occur when you use TDE with Key Vault are caused by one of the
43
43
### No permissions to access the key vault or the key doesn't exist
44
44
45
45
- The key was accidentally deleted, disabled or the key expired.
46
-
- The logical SQL Server instance AppId was accidentally deleted.
47
-
- The logical SQL Server instance was moved to a different subscription. A new AppId must be created if the logical server is moved to a different subscription.
48
-
- Permissions granted to the AppId for the keys aren't sufficient (they don't include Get, Wrap, and Unwrap).
49
-
- Permissions for the logical SQL Server instance AppId were revoked.
46
+
- The server's managed identity (system-assigned or user-assigned) was accidentally deleted.
47
+
- The server was moved to a different subscription. A new managed identity (system-assigned or user-assigned) must be assigned to the server when it is moved to a different subscription.
48
+
- Permissions granted to the server's managed identity for the keys aren't sufficient (they don't include Get, Wrap, and Unwrap permissions).
49
+
- Permissions for the server's managed identity were revoked from the key vault.
50
50
51
51
## Identify and resolve common errors
52
52
@@ -56,21 +56,21 @@ In this section, we list troubleshooting steps for the most common errors.
56
56
57
57
**Error message**
58
58
59
-
_401 AzureKeyVaultNoServerIdentity - The server identity is not correctly configured on server. Please contact support._
59
+
_401 AzureKeyVaultNoServerIdentity - The server identity is not correctly configured on server. Please contact support.
60
60
61
61
**Detection**
62
62
63
-
Use the following cmdlet or command to ensure that an identity has been assigned to the logical SQL Server instance:
63
+
Use the following cmdlet or command to ensure that an identity has been assigned to the server:
Use the following cmdlet or command to configure an Azure AD identity (an AppId) for the logical SQL Server instance:
71
+
Use the following cmdlet or command to configure an Azure AD identity for the server:
72
72
73
-
- Azure PowerShell: [Set-AzureRmSqlServer](/powershell/module/azurerm.sql/set-azurermsqlserver) with the `-AssignIdentity` option.
73
+
- Azure PowerShell: [Set-AzSqlServer](/powershell/module/az.sql/set-azsqlserver) with the `-AssignIdentity` option.
74
74
75
75
- Azure CLI: [az sql server update](/cli/azure/sql/server#az_sql_server_update) with the `--assign_identity` option.
76
76
@@ -82,7 +82,7 @@ In the Azure portal, go to the key vault, and then go to **Access policies**. Co
82
82
To learn more, see [Assign an Azure AD identity to your server](/azure/sql-database/transparent-data-encryption-byok-azure-sql-configure#assign-an-azure-ad-identity-to-your-server).
83
83
84
84
> [!IMPORTANT]
85
-
> If the logical SQL Server instance was moved to a new tenant after the initial configuration of TDE with Key Vault, repeat the step to configure the Azure AD identity to create a new AppId. Then, add the AppId to the key vault and assign the correct permissions to the key.
85
+
> If the logical SQL Server or managed instance was moved to a new tenant after the initial configuration of TDE with Key Vault, repeat the step to configure the Azure AD identity to assign a new managed identity (system-assigned or user-assigned) to the server. Then, add the managed identity to the key vault and assign the correct permissions to the key.
86
86
>
87
87
88
88
### Missing key vault
@@ -95,9 +95,9 @@ _503 AzureKeyVaultConnectionFailed - The operation could not be completed on the
95
95
96
96
To identify the key URI and the key vault:
97
97
98
-
1. Use the following cmdlet or command to get the key URI of a specific logical SQL Server instance:
98
+
1. Use the following cmdlet or command to get the key URI of a specific server instance:
@@ -111,7 +111,7 @@ To identify the key URI and the key vault:
111
111
112
112
Confirm that the key vault is available:
113
113
114
-
- Ensure that the key vault is available and that the logical SQL Server instance has access.
114
+
- Ensure that the key vault is available and that the server has access.
115
115
- If the key vault is behind a firewall, ensure that the check box to allow Microsoft services to access the key vault is selected.
116
116
- If the key vault has been accidentally deleted, you must complete the configuration from the start.
117
117
@@ -151,86 +151,115 @@ To identify the key URI and key vault:
151
151
152
152
**Mitigation**
153
153
154
-
Confirm that the logical SQL Server instance has permissions to the key vault and the correct permissions to access the key:
154
+
Confirm that the server has permissions to the key vault and the correct permissions to access the key:
155
155
156
-
- In the Azure portal, go to the key vault > **Access policies**. Find the logical SQL Server instance AppId.
157
-
- If the AppId is present, ensure that the AppID has the following key permissions: Get, Wrap, and Unwrap.
158
-
- If the AppId isn't present, add it by using the **Add New** button.
156
+
- In the Azure portal, go to the key vault > **Access policies**. Find the server's managed identity (system-assigned or user-assigned).
157
+
- If the server identity is present, ensure that it has the following key permissions: Get, WrapKey, and UnwrapKey.
158
+
- If the server identity isn't present, add it by using the **Add New** button.
159
159
160
160
## Getting TDE status from the Activity log
161
161
162
-
To allow for monitoring of the database status due to Azure Key Vault key access issues, the following events will be logged to the [Activity Log](/azure/service-health/alerts-activity-log-service-notifications) for the resource ID based on the Azure Resource Manager URL and Subscription+ResourceGroup+ServerName+DatabaseName:
162
+
To allow for monitoring of the database status due to Azure Key Vault key access issues, the following events will be logged to the [Activity Log](/azure/service-health/alerts-activity-log-service-notifications) for the resource ID based on the Azure Resource Manager URL.
163
+
164
+
> [!NOTE]
165
+
> Events may take at least 15-30 mins to appear in the Activity Log from the time key vault access issue occurs.
163
166
164
167
**Event when the service loses access to the Azure Key Vault key**
165
168
166
-
EventName: MakeDatabaseInaccessible
169
+
**Azure SQL Database**
170
+
171
+
EventName: MakeDatabaseInaccessible
167
172
168
173
Status: Started
169
174
170
-
Description: Database has lost access to Azure key vault key and is now inaccessible: \<error message\>
175
+
Description: Database {database_name} on Server {server_name} has lost access to Azure Key Vault Key and is now transitioning to inaccessible state.
176
+
177
+
**Azure SQL Managed Instance**
171
178
172
-
179
+
EventName: MakeManagedDatabaseInaccessible
173
180
174
-
**Event when the 8-hour wait time for self-healing begins**
181
+
Status: Started
182
+
183
+
Description: Database { database_name} on managed server {server_name} has lost access to Azure Key Vault Key and is now transitioning to inaccessible state.
175
184
176
-
EventName: MakeDatabaseInaccessible
177
185
178
-
Status: InProgress
186
+
**Event when the issue wasn’t resolved within 30 minutes and Azure Key Vault key access has to be validated manually**
179
187
180
-
Description: Database is waiting for Azure key vault key access to be reestablished by user within 8 hours.
188
+
**Azure SQL Database**
189
+
190
+
EventName: MakeDatabaseInaccessible
181
191
182
-
192
+
Status: Succeeded
183
193
184
-
**Event when the database has automatically come back online**
194
+
Description: Database is inaccessible and requires user to resolve Azure key vault errors and reestablish access to Azure key vault key using Re-validate key.
185
195
186
-
EventName: MakeDatabaseAccessible
196
+
**Azure SQL Managed Instance**
197
+
198
+
EventName: MakeManagedDatabaseInaccessible
187
199
188
200
Status: Succeeded
189
201
190
-
Description: Database access to Azure key vault key has been reestablished and database is now online.
191
-
192
-
202
+
Description: Database { database_name} on managed server {server_name} is inaccessible and requires user to re-establish access to Azure Key Vault Key.
193
203
194
-
**Event when the issue wasn’t resolved within 8 hours and Azure Key Vault key access has to be validated manually**
195
204
196
-
EventName: MakeDatabaseInaccessible
205
+
**Event when re-validation of Azure Key Vault key access has succeeded and the db is coming back online**
197
206
198
-
Status: Succeeded
207
+
**Azure SQL Database**
208
+
209
+
EventName: MakeDatabaseAccessible
199
210
200
-
Description: Database is inaccessible and requires user to resolve Azure key vault errors and reestablish access to Azure key vault key using Re-validate key.
211
+
Status: Started
201
212
202
-
213
+
Description: Access to Azure Key Vault Key has been re-established, operation to make database {database_name} on server {server_name} accessible started.
203
214
204
-
**Event when db comes online after manual key re-validation**
215
+
**Azure SQL Managed Instance**
216
+
217
+
EventName: MakeManagedDatabaseAccessible
205
218
206
-
EventName: MakeDatabaseAccessible
219
+
Status: Started
207
220
208
-
Status: Succeeded
221
+
Description: Access to Azure Key Vault Key has been re-established, operation to make database {database_name} on managed server {server_name} accessible started.
209
222
210
-
Description: Database access to Azure key vault key has been reestablished and database is now online.
223
+
224
+
**Event when the database has successfully come back online**
211
225
212
-
226
+
**Azure SQL Database**
227
+
228
+
EventName: MakeDatabaseAccessible
213
229
214
-
**Event when re-validation of Azure Key Vault key access has succeeded and the db is coming back online**
230
+
Status: Succeeded
215
231
216
-
EventName: MakeDatabaseAccessible
232
+
Description: Access to Azure Key Vault Key has been re-established and database {database_name} on server {server_name} is now online.
217
233
218
-
Status: Started
234
+
**Azure SQL Managed Instance**
235
+
236
+
EventName: MakeManagedDatabaseAccessible
219
237
220
-
Description: Restoring database access to Azure key vault key has started.
238
+
Status: Succeeded
221
239
222
-
240
+
Description: Access to Azure Key Vault Key has been re-established and database {database_name} on managed server {server_name} is now online.
241
+
223
242
224
243
**Event when re-validation of Azure Key Vault key access has failed**
225
244
245
+
**Azure SQL Database**
246
+
226
247
EventName: MakeDatabaseAccessible
227
248
228
249
Status: Failed
229
250
230
-
Description: Restoring database access to Azure key vault key has failed.
251
+
Description: Access to Azure Key Vault Key has been re-established, operation to make database {database_name} accessible on server {server_name} failed
252
+
253
+
**Azure SQL Managed Instance**
254
+
255
+
EventName: MakeManagedDatabaseAccessible
256
+
257
+
Status: Failed
231
258
259
+
Description: Access to Azure Key Vault Key has been re-established, operation to make database {database_name} accessible on managed server {server_name} failed
260
+
232
261
233
262
## Next steps
234
263
235
264
- Learn about [Azure Resource Health](/azure/service-health/resource-health-overview).
236
-
- Set up [Action Groups](/azure/azure-monitor/platform/action-groups) to receive notifications and alerts based on your preferences, e.g. Email/SMS/Push/Voice, Logic App, Webhook, ITSM, or Automation Runbook.
265
+
- Set up [Action Groups](/azure/azure-monitor/platform/action-groups) to receive notifications and alerts based on your preferences, e.g. Email/SMS/Push/Voice, Logic App, Webhook, ITSM, or Automation Runbook.
0 commit comments