[BUG] mgmt storage, exception when `withExistingUserAssignedManagedServiceIdentity` and `withEncryptionKeyFromKeyVault` are both present about azure-sdk-for-java HOT 5 CLOSED

XiaofeiCao commented on May 26, 2024

[BUG] mgmt storage, exception when `withExistingUserAssignedManagedServiceIdentity` and `withEncryptionKeyFromKeyVault` are both present

from azure-sdk-for-java.

Comments (5)

XiaofeiCao commented on May 26, 2024

We may need to support the full MMK and CMK use cases.

Docs: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview

Proposal:

Add an override withExistingUserAssignedManagedServiceIdentity(identityId).
Add an override withEncryptionFromKeyVault(vaultUri, key, version, userAssignedIdentityId).
Add withEncryptionFromStorage to update encryption from CMK to MMK.

Use cases

1. Create storage account with CMK

StorageAccount storageAccount = storageManager
            .storageAccounts()
            .define(saName)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(rgName)
            .withExistingUserAssignedManagedServiceIdentity(defaultIdentity)
            .withEncryptionFromKeyVault(vaultUri, key, version, defaultIdentity.id())
            .create();

2. Update existing storage account from MMK to CMK

StorageAccount storageAccount = storageManager
            .storageAccounts()
            .define(saName)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(rgName)
            .create();

storageAccount.update()
            .withExistingUserAssignedManagedServiceIdentity(defaultIdentity)
            .withEncryptionFromKeyVault(vaultUri, key, version, defaultIdentity.id())
            .apply();

3. Update existing storage account's CMK

3.1 From system-assigned to user-assigned, and vice-versa. After the update, StorageAccount's identity type will be SYSTEM_AND_USER_ASSIGNED.

StorageAccount storageAccount = storageManager
            .storageAccounts()
            .define(saName)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(rgName)
            .withSystemAssignedManagedServiceIdentity()
            .withEncryptionFromKeyVault(vaultUri, key, version)
            .create();

// from system-assigned to user-assigned
storageAccount.update()
            .withEncryptionFromKeyVault(vaultUri, key, version, identity.id())
            .withExistingUserAssignedManagedServiceIdentity(identity)
            .apply();

// from user-assigned to system-assigned(I'm not able to find a way to express this using existing interfaces)
storageAccount.update()
            .withEncryptionFromKeyVault(vaultUri, key, version) // without the identity id, it'll be changed to system-assigned
            .apply();

3.2 From one user-assigned to another user-assigned.

StorageAccount storageAccount = storageManager
            .storageAccounts()
            .define(saName)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(rgName)
            .withEncryptionFromKeyVault(vaultUri, key, version, identity1.id())
            .withExistingUserAssignedManagedServiceIdentity(identity1)
            .create();

storageAccount.update()
            .withEncryptionFromKeyVault(vaultUri, key, version, identity2.id())
            .withExistingUserAssignedManagedServiceIdentity(identity2.id())
            .withoutExistingUserAssignedManagedServiceIdentity(identity1.id())
            .apply();

4. From CMK to MMK.

StorageAccount storageAccount = storageManager
            .storageAccounts()
            .define(saName)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(rgName)
            .withEncryptionFromKeyVault(vaultUri, key, version, identity1)
            .withExistingUserAssignedManagedServiceIdentity(identity1)
            .create();

storageAccount.update()
            .withEncryptionFromStorage() // MMK
            .apply();

from azure-sdk-for-java.

weidongxu-microsoft commented on May 26, 2024

LGTM

We do want user explicitly put the identity or identity id when setting the encryption.

question:

does storage account only allow 1 user-assigned managed identity? (on 3.2, I didn't see a withoutUserAssigned)
withEncryptionFromStorage would be the default to storage account (it always encrypted), correct?

from azure-sdk-for-java.

weidongxu-microsoft commented on May 26, 2024

The casing on the ID seems to be a backend bug to me... I assume this part would be case-insensitive.

from azure-sdk-for-java.

XiaofeiCao commented on May 26, 2024

does storage account only allow 1 user-assigned managed identity? (on 3.2, I didn't see a withoutUserAssigned)

Yeah, seems so. Updated the use case. Portal and CLI automatically does the without for user if it detects the user-assigned identity has changed. We'll probably not do this, in case they allow somehow.

withEncryptionFromStorage would be the default to storage account (it always encrypted), correct?

Correct.

I'll let them know the case-sensitive case.

from azure-sdk-for-java.

weidongxu-microsoft commented on May 26, 2024

Agree. We'd better have user explicitly do the "without".

from azure-sdk-for-java.

[BUG] mgmt storage, exception when `withExistingUserAssignedManagedServiceIdentity` and `withEncryptionKeyFromKeyVault` are both present about azure-sdk-for-java HOT 5 CLOSED

Comments (5)

Use cases

1. Create storage account with CMK

2. Update existing storage account from MMK to CMK

3. Update existing storage account's CMK

3.1 From system-assigned to user-assigned, and vice-versa. After the update, StorageAccount's identity type will be SYSTEM_AND_USER_ASSIGNED.

3.2 From one user-assigned to another user-assigned.

4. From CMK to MMK.

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent