[Storage] Fix issue 14769 (#14806)

blueww · web-flow · commit cc2ea0b237a7 · 2021-04-22T15:09:24.000+08:00
diff --git a/src/Storage/Storage.Management/ChangeLog.md b/src/Storage/Storage.Management/ChangeLog.md
@@ -25,6 +25,8 @@
     - `New-AzStorageAccount`
 * Fixed an issue that delete immutable blob will prompt incorrect message.
     - `Remove-AzStorageAccount`
+* Allowed update Storage Account KeyVault properties by cleanup Keyversion to enable key auto rotation [#14769]
+    - `Set-AzStorageAccount`
 * Added breaking change warning message for upcoming cmdlet breaking change
     - `Remove-AzRmStorageShare`
 
diff --git a/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs b/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs
@@ -160,7 +160,7 @@ public SwitchParameter KeyvaultEncryption
         [Parameter(HelpMessage = "Storage Account encryption keySource KeyVault KeyVersion",
         Mandatory = false,
         ParameterSetName = KeyvaultEncryptionParameterSet)]
-        [ValidateNotNullOrEmpty]
+        [ValidateNotNull]
         public string KeyVersion { get; set; }
 
         [Parameter(HelpMessage = "Storage Account encryption keySource KeyVault KeyVaultUri",
diff --git a/src/Storage/Storage.Management/help/Set-AzStorageAccount.md b/src/Storage/Storage.Management/help/Set-AzStorageAccount.md
@@ -97,10 +97,15 @@ PS C:\>$keyVault = New-AzKeyVault -VaultName "MyKeyVault" -ResourceGroupName "My
 PS C:\>$key = Add-AzKeyVaultKey -VaultName "MyKeyVault" -Name "MyKey" -Destination 'Software'
 PS C:\>Set-AzKeyVaultAccessPolicy -VaultName "MyKeyVault" -ObjectId $account.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
 
+# In case to enable key auto rotation, don't set KeyVersion
 PS C:\>Set-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -KeyvaultEncryption -KeyName $key.Name -KeyVersion $key.Version -KeyVaultUri $keyVault.VaultUri
+
+# In case to enable key auto rotation after set keyvault proeprites with KeyVersion, can update account by set KeyVersion to empty
+PS C:\>Set-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -KeyvaultEncryption -KeyName $key.Name -KeyVersion "" -KeyVaultUri $keyVault.VaultUri
 ```
 
 This command set Encryption KeySource with a new created Keyvault.
+If want to enable key auto rotation, don't set keyversion when set Keyvault properties for the first time, or clean up it by set keyvault properties again with keyversion as empty.
 
 ### Example 6: Set Encryption KeySource to "Microsoft.Storage"
 ```
