Encryption at Rest Using Key Management

Caycee_Cress · March 15, 2023, 8:14pm

While enabling encryption-at-rest on MongoDB Atlas, I consistently get an “Invalid Azure credentials” error. I’ve connected to Azure and can successfully access the key-vault key in PowerShell with the same credentials that are being used. We set up another cluster in the same org a few months ago. When we set up the encryption, it also got that same error, but the next day it just worked for the first instance. The current issue has been going on for a couple of days and still doesn’t work. Has anyone else seen this issue or know what may be causing the error?

Tarun_Gaur · March 16, 2023, 4:57am

Hello @Caycee_Cress ,

Welcome to The MongoDB Community Forums!

I would advise you to bring this up with the Atlas chat support team . They may be able to check if anything on the Atlas side could have possibly caused this issue. In saying so, if a chat support is raised, please provide them with the following:

Cluster link / name which experienced the issue
Time & date including timezone for when it occurred
Exact error message output
Any additional details that you think will help them point to the issue

Regards,
Tarun

Caycee_Cress · March 16, 2023, 12:26pm

We have tried reaching out through chat support hoping to at least just get the detail of the exact error since it’s known the credentials are good. However, the only advice given was to either pay for Developer support or to try the forum. Seems silly to pay $800 to simply get an error message that is being masked incorrectly.

Cynthia_Braund · March 16, 2023, 5:16pm

Hello Caycee,

It seems others have gotten this error when the Azure Key Vault Reader role was not assigned to the service principal. There is a list of prerequisite steps in the the Azure Key Vault documentation for Manage Customer Keys that you can review to see if there was perhaps a missed step.

I hope this helps,

Cynthia

Caycee_Cress · March 16, 2023, 6:32pm

Thank you, however, the service principal does have the role. As mentioned above we can use the az PowerShell module to authenticate using the same client and secret. Once authenticated we are also able to successfully retrieve the secret.

Vaibhav_Saxena · March 27, 2024, 8:42pm

was there any solution to this ?
i am facing same error.
i checked that azure ad app have required role over KeyVault also have access policies.
client id and secret is correct. still getting error - “Invalid Azure credentials”