Comments (5)
We may need to support the full MMK and CMK use cases.
Docs: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
Proposal:
- Add an override
withExistingUserAssignedManagedServiceIdentity(identityId)
. - Add an override
withEncryptionFromKeyVault(vaultUri, key, version, userAssignedIdentityId)
. - Add
withEncryptionFromStorage
to update encryption from CMK to MMK.
Use cases
1. Create storage account with CMK
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withExistingUserAssignedManagedServiceIdentity(defaultIdentity)
.withEncryptionFromKeyVault(vaultUri, key, version, defaultIdentity.id())
.create();
2. Update existing storage account from MMK to CMK
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.create();
storageAccount.update()
.withExistingUserAssignedManagedServiceIdentity(defaultIdentity)
.withEncryptionFromKeyVault(vaultUri, key, version, defaultIdentity.id())
.apply();
3. Update existing storage account's CMK
3.1 From system-assigned to user-assigned, and vice-versa. After the update, StorageAccount's identity type will be SYSTEM_AND_USER_ASSIGNED.
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withSystemAssignedManagedServiceIdentity()
.withEncryptionFromKeyVault(vaultUri, key, version)
.create();
// from system-assigned to user-assigned
storageAccount.update()
.withEncryptionFromKeyVault(vaultUri, key, version, identity.id())
.withExistingUserAssignedManagedServiceIdentity(identity)
.apply();
// from user-assigned to system-assigned(I'm not able to find a way to express this using existing interfaces)
storageAccount.update()
.withEncryptionFromKeyVault(vaultUri, key, version) // without the identity id, it'll be changed to system-assigned
.apply();
3.2 From one user-assigned to another user-assigned.
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withEncryptionFromKeyVault(vaultUri, key, version, identity1.id())
.withExistingUserAssignedManagedServiceIdentity(identity1)
.create();
storageAccount.update()
.withEncryptionFromKeyVault(vaultUri, key, version, identity2.id())
.withExistingUserAssignedManagedServiceIdentity(identity2.id())
.withoutExistingUserAssignedManagedServiceIdentity(identity1.id())
.apply();
4. From CMK to MMK.
StorageAccount storageAccount = storageManager
.storageAccounts()
.define(saName)
.withRegion(Region.US_EAST)
.withExistingResourceGroup(rgName)
.withEncryptionFromKeyVault(vaultUri, key, version, identity1)
.withExistingUserAssignedManagedServiceIdentity(identity1)
.create();
storageAccount.update()
.withEncryptionFromStorage() // MMK
.apply();
from azure-sdk-for-java.
LGTM
We do want user explicitly put the identity
or identity id
when setting the encryption.
question:
- does storage account only allow 1 user-assigned managed identity? (on 3.2, I didn't see a withoutUserAssigned)
withEncryptionFromStorage
would be the default to storage account (it always encrypted), correct?
from azure-sdk-for-java.
The casing on the ID seems to be a backend bug to me... I assume this part would be case-insensitive.
from azure-sdk-for-java.
does storage account only allow 1 user-assigned managed identity? (on 3.2, I didn't see a withoutUserAssigned)
Yeah, seems so. Updated the use case. Portal and CLI automatically does the without
for user if it detects the user-assigned identity has changed. We'll probably not do this, in case they allow somehow.
withEncryptionFromStorage would be the default to storage account (it always encrypted), correct?
Correct.
I'll let them know the case-sensitive case.
from azure-sdk-for-java.
Agree. We'd better have user explicitly do the "without".
from azure-sdk-for-java.
Related Issues (20)
- [Test proxy] Refactor and re-record quantum jobs tests
- [Test Proxy] Refactor and re-record needed for storage tests
- [FEATURE REQ] Add support for managed identities in azure-storage-file-share HOT 3
- [BUG] Multiple createPathFile internal operations causing uploadFIle api to convert finite size file to zero bytes file in ADLS gen2 HOT 9
- [OpenAI][Assistants] Add custom code for `uploadFile` for server requirement for `filename`
- Legacy flag for the Java SDK HOT 1
- sdk/cosmos/azure-cosmos-spark_3-5_2-12 - "_corrupt_record" column isn't getting populated when reading from Cosmos DB HOT 5
- [BUG] Different embedding 3 vectors in Azure vs. OpenAI HOT 3
- User can't manage the lifecycle of THREAD_POOL in Azure Table Storage Java SDK HOT 2
- [BUG] Azure SQL ActiveDirectoryManagedIdentity authentication with sleuth HOT 3
- Is it missing partial update function for blob HOT 7
- [Text Translation] Use the latest test proxy
- [BUG] Unable to list Virtual Networks in an Subscription HOT 4
- [FEATURE REQ] [OpenAI Client] Feature parity with official Python client (and also fully support vLLM) HOT 1
- [QUERY] How can we update a deployment using createOrUpdateDeploymentWithResponse API? HOT 1
- mgmt, fix TypeSpec generation/sdk automation script
- [BUG] Javadoc for RequestRetryOptions may be incorrect or misleading HOT 2
- [FEATURE REQ] Add @ServiceConnection support for CosmosDB, EventHub and Azurite HOT 5
- [BUG] Embedding model input parameter support. HOT 5
- Spring Boot 3.3.0 support HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-sdk-for-java.