Comments (5)
We may need to support the full MMK and CMK use cases.
Docs: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
Proposal:
- Add an override
withExistingUserAssignedManagedServiceIdentity(identityId)
. - Add an override
withEncryptionFromKeyVault(vaultUri, key, version, userAssignedIdentityId)
. - Add
withEncryptionFromStorage
to update encryption from CMK to MMK.
Use cases
1. Create storage account with CMK
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withExistingUserAssignedManagedServiceIdentity(defaultIdentity)
.withEncryptionFromKeyVault(vaultUri, key, version, defaultIdentity.id())
.create();
2. Update existing storage account from MMK to CMK
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.create();
storageAccount.update()
.withExistingUserAssignedManagedServiceIdentity(defaultIdentity)
.withEncryptionFromKeyVault(vaultUri, key, version, defaultIdentity.id())
.apply();
3. Update existing storage account's CMK
3.1 From system-assigned to user-assigned, and vice-versa. After the update, StorageAccount's identity type will be SYSTEM_AND_USER_ASSIGNED.
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withSystemAssignedManagedServiceIdentity()
.withEncryptionFromKeyVault(vaultUri, key, version)
.create();
// from system-assigned to user-assigned
storageAccount.update()
.withEncryptionFromKeyVault(vaultUri, key, version, identity.id())
.withExistingUserAssignedManagedServiceIdentity(identity)
.apply();
// from user-assigned to system-assigned(I'm not able to find a way to express this using existing interfaces)
storageAccount.update()
.withEncryptionFromKeyVault(vaultUri, key, version) // without the identity id, it'll be changed to system-assigned
.apply();
3.2 From one user-assigned to another user-assigned.
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withEncryptionFromKeyVault(vaultUri, key, version, identity1.id())
.withExistingUserAssignedManagedServiceIdentity(identity1)
.create();
storageAccount.update()
.withEncryptionFromKeyVault(vaultUri, key, version, identity2.id())
.withExistingUserAssignedManagedServiceIdentity(identity2.id())
.withoutExistingUserAssignedManagedServiceIdentity(identity1.id())
.apply();
4. From CMK to MMK.
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withEncryptionFromKeyVault(vaultUri, key, version, identity1)
.withExistingUserAssignedManagedServiceIdentity(identity1)
.create();
storageAccount.update()
.withEncryptionFromStorage() // MMK
.apply();
from azure-sdk-for-java.
LGTM
We do want user explicitly put the identity
or identity id
when setting the encryption.
question:
- does storage account only allow 1 user-assigned managed identity? (on 3.2, I didn't see a withoutUserAssigned)
withEncryptionFromStorage
would be the default to storage account (it always encrypted), correct?
from azure-sdk-for-java.
The casing on the ID seems to be a backend bug to me... I assume this part would be case-insensitive.
from azure-sdk-for-java.
does storage account only allow 1 user-assigned managed identity? (on 3.2, I didn't see a withoutUserAssigned)
Yeah, seems so. Updated the use case. Portal and CLI automatically does the without
for user if it detects the user-assigned identity has changed. We'll probably not do this, in case they allow somehow.
withEncryptionFromStorage would be the default to storage account (it always encrypted), correct?
Correct.
I'll let them know the case-sensitive case.
from azure-sdk-for-java.
Agree. We'd better have user explicitly do the "without".
from azure-sdk-for-java.
Related Issues (20)
- [QUERY] Can excessive memory usage by reactor.util.concurrent.SpscArrayQueue while consuming from an EventHub be controlled? Or is this a bug? HOT 2
- [BUG] Tables - 409 status-code swallowing needs updated logic HOT 1
- [FEATURE REQ] azure-identity-extensions for PostgreSQL is inneficient HOT 2
- ExecuteDataFlowActivity- dataflow reference is everytime null HOT 1
- Add Search embedding sample for reduced embedding dimensions
- Add support for multiple listeners to SSE events
- Context API improvements
- [FEATURE REQ] In ContainerServiceManager, on KubernetesClusters creation, network profile definition: add dataplane and plugin mode HOT 2
- Investigate better application life cycle management
- Key Vault - Certificates Readme broken link HOT 1
- Communication JobRouter Readme Broken Link HOT 2
- Event Hubs Sample Issue HOT 2
- Cosmos DB Sample Issue HOT 1
- [BUG] tokenCachePersistenceOptions.unencryptedStorageAllowed does not work as expected on Linux with no keyring found HOT 2
- [Docs] - Move namespaces from .txt files into their respective metadata json files
- Unify HttpClient configuration
- Migrate Storage libraries to azure-xml
- Correct IMDS resource ID query parameter
- [OpenAI-Assistant] Add Server Sent Events (SSE) support
- [OpenAI] Enable stream-style-serialization
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-sdk-for-java.