03/13/2021, 8:56 PM
I'm probably too tired to think straight at this point - but now I've gotten to the AKS stage, and I decided that I really wanted to add diskEncryption through a diskEncryptionSet. So.. ugh.. it'll be easier to read the code rather than me explaining it:
const diskKey = new azure.keyvault.Key("aks-des-key",{
        keyName: "aks-des-key",
        properties: {
            kty: "RSA"
    const diskEncryption = new azure.compute.DiskEncryptionSet("aks-des", {
        location: aksStack.parameters.location,
        activeKey: {
            keyUrl: diskKey.keyUriWithVersion
        diskEncryptionSetName: "aks-des",
        encryptionType: "EncryptionAtRestWithCustomerKey",
        identity: {
            type: "SystemAssigned"
So this is all fine - and in my AKS config I have `diskEncryptionSetID:,`which is also fine (I guess). But now, almost obviously, I'm getting:
Unable to access key vault resource 'https://(mykeyvaulthere).<|>' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'aks-des'. Please visit <> for more information.
So I decide that I really should set up authorization for diskEncryption to access the diskKey. Note: I created my keyVault with
enableRbacAuthorization: true,
. So here goes:
const diskEncryptionRoleAssignment = new azure.authorization.RoleAssignment("des-to-kv", {
        roleDefinitionId: "Reader",
        principalId: diskEncryption.identity // <--- should in not be able to access the principalid from diskEncryption somehow?!
I am absolutely a noob at this - not even sure I'm granting the right thing to the right stuff for any reason really, but I do know that if I want to use RoleAssignement for anything where I use SystemAssigned identity, I need to be able to reference it as expected.. From the Supporting Types of DiskEncryptionSet - EncryptionSetIdentity has the
which I defined, but then EncryptionSetIdentityResponse has `principalId`and `tenantId`in addition - which I want.. but the outputs of DiskEncryptionSet say nothing about those fields! How.. do I access them? Nevermind if I'm even on the right track..
Looking at this blog post ( and the spec of synapse.Workspace - it's similar to the output spec of compute.DiskEncryptionSet and a lot of others in that the
field is not listed in the output (as it is an input), but is still accessible (because all inputs are), and has the same *IdentityResponse type - meaning that it should expose principalId and tenantId. The example uses the `workspace.identity.principalId`though as far as I can tell - typescript will go bananas at the thought of using it (as it does with me). Is this an issue with type declarations or something?
Property 'principalId' does not exist on type 'Output<EncryptionSetIdentityResponse | undefined>'.
Considering it's sunday and all, and I don't expect Mikhail to be everywhere all at once - I'll open a github issue on this one as that error does seem to indicate a bug for me ūüėČ
Once again Mikhail is sortof debugging this even in his absence - looking through existing issues, there's one related to RoleAssignmentName ( in which he links to a c# example where he uses random..
in that code - right below - he's using chained `.apply`'s to get the principalId out of the identity


03/14/2021, 8:09 AM
Yes, you need
. Responded in the issue.


03/14/2021, 8:09 AM
so.. taking that c# and putting it into ts makes that line look like this for me:
principalId: diskEncryption.identity.apply(identity => identity?.principalId).apply(principalId => principalId ?? "<preview>")
Thanks Mikhail - closing issue and finally able to deal with real problems ūüėČ