|
| 1 | +--- |
| 2 | +title: Azure HDInsight clusters with disk encryption lose Key Vault access |
| 3 | +description: Troubleshooting steps and possible resolutions for issues when interacting with Azure HDInsight clusters. |
| 4 | +author: hrasheed-msft |
| 5 | +ms.author: hrasheed |
| 6 | +ms.reviewer: jasonh |
| 7 | +ms.service: hdinsight |
| 8 | +ms.topic: troubleshooting |
| 9 | +ms.date: 01/30/2020 |
| 10 | +--- |
| 11 | + |
| 12 | +# Scenario: Azure HDInsight clusters with disk encryption lose Key Vault access |
| 13 | + |
| 14 | +This article describes troubleshooting steps and possible resolutions for issues when interacting with Azure HDInsight clusters. |
| 15 | + |
| 16 | +## Issue |
| 17 | + |
| 18 | +The Resource Health Center (RHC) alert, `The HDInsight cluster is unable to access the key for BYOK encryption at rest`, is shown for Bring Your Own Key (BYOK) clusters where the cluster nodes have lost access to customers Key Vault (KV). Similar alerts can also be seen on Apache Ambari UI. |
| 19 | + |
| 20 | +## Cause |
| 21 | + |
| 22 | +The alert ensures that KV is accessible from the cluster nodes, thereby ensuring the network connection, KV health, and access policy for the user assigned Managed Identity. This alert is only a warning of impending broker shutdown on subsequent node reboots, the cluster continues to function until nodes reboot. |
| 23 | + |
| 24 | +Navigate to Apache Ambari UI to find more information about the alert from **Disk Encryption Key Vault Status**. This alert will have details about the reason for verification failure. |
| 25 | + |
| 26 | +## Resolution |
| 27 | + |
| 28 | +### KV/AAD outage |
| 29 | + |
| 30 | +Look at [Azure Key Vault availability and redundancy](../../key-vault/key-vault-disaster-recovery-guidance.md) and Azure status page for more details https://status.azure.com/ |
| 31 | + |
| 32 | +### KV accidental deletion |
| 33 | + |
| 34 | +* Restore deleted key on KV to auto recover. For more information, see [Recover Deleted Key](https://docs.microsoft.com/rest/api/keyvault/recoverdeletedkey). |
| 35 | +* Reach out to KV team to recover from accidental deletions. |
| 36 | + |
| 37 | +### KV access policy changed |
| 38 | + |
| 39 | +Restore the access policies for the user assigned Managed Identity that is assigned to HDI cluster for accessing the KV. |
| 40 | + |
| 41 | +### Key permitted operations |
| 42 | + |
| 43 | +For each key in KV, you can choose the set of permitted operations. Ensure that you have wrap and unwrap operations enabled for the BYOK key |
| 44 | + |
| 45 | +### Expired key |
| 46 | + |
| 47 | +If the expiry has passed and key isn't rotated, restore key from backup HSM or contact KV team to clear the expiry date. |
| 48 | + |
| 49 | +### KV firewall blocking access |
| 50 | + |
| 51 | +Fix the KV firewall settings to allow BYOK cluster nodes to access the KV. |
| 52 | + |
| 53 | +### NSG rules on virtual network blocking access |
| 54 | + |
| 55 | +Check the NSG rules associated with the virtual network attached to the cluster. |
| 56 | + |
| 57 | +## Mitigation and prevention steps |
| 58 | + |
| 59 | +### KV accidental deletion |
| 60 | + |
| 61 | +* Configure Key Vault with [Resource Lock set](../../azure-resource-manager/management/lock-resources.md). |
| 62 | +* Back up keys to their Hardware Security Module. |
| 63 | + |
| 64 | +### Key deletion |
| 65 | + |
| 66 | +Cluster should be deleted before key deletion. |
| 67 | + |
| 68 | +### KV access policy changed |
| 69 | + |
| 70 | +Regularly audit and test access policies. |
| 71 | + |
| 72 | +### Expired key |
| 73 | + |
| 74 | +* Back up keys to your HSM. |
| 75 | +* Use a key without any expiry set. |
| 76 | +* If expiry needs to be set, rotate the keys before the expiration date. |
| 77 | + |
| 78 | +## Next steps |
| 79 | + |
| 80 | +If you didn't see your problem or are unable to solve your issue, visit one of the following channels for more support: |
| 81 | + |
| 82 | +* Get answers from Azure experts through [Azure Community Support](https://azure.microsoft.com/support/community/). |
| 83 | + |
| 84 | +* Connect with [@AzureSupport](https://twitter.com/azuresupport) - the official Microsoft Azure account for improving customer experience. Connecting the Azure community to the right resources: answers, support, and experts. |
| 85 | + |
| 86 | +* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](https://docs.microsoft.com/azure/azure-supportability/how-to-create-azure-support-request). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/). |
0 commit comments