azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Wrong warning that leads to unrecoverable state

Open lesmoris-guesty opened this issue 2 years ago • 2 comments

In the section "List Key Vaults"

https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription?WT.mc_id=Portal-Microsoft_Azure_Billing#list-key-vaults

there is a warning that says:

"If you are using encryption at rest for a resource, such as a storage account or SQL database, that has a dependency on a key vault that is not in the same subscription that is being transferred, it can lead to an unrecoverable scenario. If you have this situation, you should take steps to use a different key vault or temporarily disable customer-managed keys to avoid this unrecoverable scenario."

This is wrong. I did a transfer with an encrypted MySQL with a key in a KV located IN THE SAME subscription as the mysql server and it failed. The key is tied to the tenant, not the KV/subscription. So if you keep the encryption ON and do the transfer, you will lose access to the data inside the mysql server. This was confirmed by the PG team. You have to disable encryption BEFORE doing the change.

Please change it to avoid other people lose their MySQL servers.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

lesmoris-guesty avatar Dec 01 '22 16:12 lesmoris-guesty

@lesmoris-guesty Thanks for your feedback! We will investigate and update as appropriate.

SaibabaBalapur-MSFT avatar Dec 01 '22 17:12 SaibabaBalapur-MSFT

@lesmoris-guesty Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly.

@rolyon Can you please check and add your comments on this doc update request as applicable.

AjayBathini-MSFT avatar Dec 02 '22 04:12 AjayBathini-MSFT

Hi @lesmoris-guesty Thanks for letting us know about this. We are checking with the team to make updates to the doc. thanks

rolyon avatar Dec 09 '22 09:12 rolyon

Hi @lesmoris-guesty We have updated the warning text in the doc. https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription Thanks again and let us know if you have any additional feedback. thanks

rolyon avatar Dec 09 '22 19:12 rolyon

#please-close

rolyon avatar Dec 09 '22 19:12 rolyon