Blog Post

Azure PaaS Blog
1 MIN READ

[Azure AI Search] Internal Server Error when creating CMK encrypted objects

davidqiu's avatar
davidqiu
Icon for Microsoft rankMicrosoft
Sep 28, 2024

Scenario

Customers follow the Microsoft doc to create CMK encrypted objects (data source, index etc.), but get the 500 Internal Server Error:

{'error':{'code':'','message':'Could not use key vault key to wrap/unwrap the encryption key. {\\'Message\\':\\'An error has occurred.\\'}'}


Possible Causes

  • The key vault host is incorrect, e.g. incorrect key vault name or domain.
    • Action: check the keyVaultUri in the Json payload to make sure it is correct.
  • The key vault host is inaccessible to search. For example, the key vault has public network access disabled but does not have a shared private link (SPL) configured from search. 
    • Action: check the SPL configurations or create a SPL and make sure it is approved. 

Note that if the key vault Uri is correct or accessible, the error message due to a wrong key vault key name or version in the JSON payload is slightly different. The error message has the complete key vault key path.

{
"error": {
"code": "",
"message": "Could not use key vault key https://keyvaultname.vault.azure.net:443/keys/wrongkeyname to wrap/unwrap the encryption key. The key vault key cannot be found."
}
}

Updated Oct 01, 2024
Version 3.0
  • balasubramanim's avatar
    balasubramanim
    Iron Contributor
    Sep 28, 2024

    @David Qiu

     

    Please try the below steps, you should be able to resolve the 500 Internal Server Error and successfully create CMK encrypted object

    1. Verify Key Vault URI: Ensure the keyVaultUri in the payload is pointing to the correct key vault.
    2. Check Network Access: Ensure public network access is enabled or configure a Shared Private Link (SPL) if required.
    3. Confirm Key Name and Version: Double-check the key name and version to ensure you are referencing the correct key in the vault.