How to fix SecurityInvalidAzureKeyVaultRecoveryLevel and key vault URL invalid error

Question

│ Error: creating Flexible Server (Subscription: "***"
│ Resource Group Name: "alle-ai-terraform-rg"
│ Flexible Server Name: "alle-ai-db-fs"): polling after Create: polling failed: the Azure API returned the following error:
│ 
│ Status: "SecurityInvalidAzureKeyVaultRecoveryLevel"
│ Code: ""
│ Message: "The provided Key Vault uri 'https://<keyvault-name>.vault.azure.net/keys/<key-name>/<version>' is not valid. 
Please ensure the key vault has been configured with soft-delete and purge protection. (https://aka.ms/sqltdebyoksoftdelete)."
│ Activity Id: ""

I have been getting the above error anytime I create a Key vault and key either on the Azure portal or using Terraform even though I have configured soft-delete and purge protection in my Key vault settings. This error is seen when I am attaching the created key to my azure MySQL server. Below is my recovery level and soft delete and purge protection features in my key vault settings.


az keyvault key show --vault-name tiredofthis-kv --name tired --query "{recoveryLevel:attributes.recoveryLevel}"
{
  "recoveryLevel": "CustomizedRecoverable"
}


az keyvault show --name tiredofthis-kv --query "{softDelete
:properties.enableSoftDelete, purgeProtection:properties.enab
lePurgeProtection}"
{
  "purgeProtection": true,
  "softDelete": true
}

How do i fix this issue to get the right recovery level and a valid URL? 
Thank you

Answer 1

Hi @Gyampoh Enoch
Thank you for Reaching Out Microsoft Q&A platform.
I understand that when you're trying to attach the created key to your Azure MySQL server, you're encountering an error message stating "SecurityInvalidAzureKeyVaultRecoveryLevel" along with an invalid Key Vault URL. This error indicates that the Key Vault needs to be configured with soft-delete and purge protection. Although you've already enabled these features, the error persists.

To resolve this issue, I recommend using a Key Vault in the same region as your MySQL server. However, if you need to use a Key Vault from a different region, you can specify the "enter key identifier" information. Additionally, the Key Vault managed HSM must be in the same region as the MySQL Flexible Server.

Before attempting to configure the customer-managed key (CMK), please ensure the following requirements are met:

• The customer-managed key used to encrypt the DEK must be asymmetric (RSA or RSA-HSM with Premium SKU), with key sizes of 2048, 3072, or 4096 bits.
• The key activation date (if set) must be in the past, and the expiration date should not be set.
• The key must be in the "Enabled" state.
• The key must have soft delete with a retention period set to 90 days. This will automatically set the required recoveryLevel to "Recoverable."
• Purge protection must be enabled for the key.
• If you're importing an existing key into the Key Vault, ensure it is in a supported file format (.pfx, .byok,. backup).

I kindly request that you perform these operations in the Azure portal, following the instructions provided in this document: Data Encryption in Azure MySQL Flexible Server.

For additional information, please refer to this document: Requirements for Configuring Data Encryption for Azure Database for MySQL Flexible Server.

Please configure the settings as outlined in the document, as this should help resolve the issue. If the issue persists, kindly provide screenshots or any additional information, and we will assist you with further troubleshooting.