I've been working on a solution to implement automatic key rotation for a storage account using keyvault. The script I'm using is listed below. The object ID is not a service principal (its my ObjectID).
$resourcegroup = "resourcegroupname"
$saname = "storageaccountname"
$vaultname = "keyvaultname"
$storage = Get-AzureRmStorageAccount -ResourceGroupName $resourcegroup -
StorageAccountName $saname
$userPrincipalId = $(Get-AzureRmADUser -ObjectId "my-object-id").Id
New-AzureRmRoleAssignment -ObjectId $userPrincipalId -RoleDefinitionName
'Storage Account Key Operator Service Role' -Scope $storage.Id
Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultname -ObjectId $userPrincipalId - -PermissionsToStorage all
$regenPeriod = [System.Timespan]::FromDays(1)
Add-AzureKeyVaultManagedStorageAccount -VaultName $vaultname -AccountName
$saname -AccountResourceId $storage.Id -ActiveKeyName key2 -RegenerationPeriod $regenPeriod
But then I get the following error
Add-AzureKeyVaultManagedStorageAccount : Key vault service doesn't have proper permissions to access the storage account
https://something.vault.azure.net/storage/something
At line:17 char:1
+ Add-AzureKeyVaultManagedStorageAccount -VaultName $vaultname -Account ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureKeyVaultManagedStorageAccount], KeyVaultErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultManagedStorageAccount