Customer-managed keys - overview
Azure Managed Instance for Apache Cassandra provides the capability to encrypt data on disk using your own key. This article describes how to implement customer-managed keys with Azure Key Vault.
Prerequisites
- Set up a secret using Azure Key Vault. Learn more about Azure Key Vault here.
- Deployed a virtual network in your resource group, and applied the network contributor role with the Azure Cosmos DB service principal as a member. See Create an Azure Managed Instance for Apache Cassandra cluster using Azure CLI for more detail.
Important
This article requires the Azure CLI version 2.30.0 or higher. If you are using Azure Cloud Shell, the latest version is already installed.
Create a cluster with system assigned identity
Note
As mentioned in pre-requisites, to avoid deployment failure, make sure you have applied the appropriate role to your virtual network before attempting to deploy a managed instance cluster:
az role assignment create \
--assignee a232010e-820c-4083-83bb-3ace5fc29d0b \
--role 4d97b98b-1d4f-4787-a291-c67834d212e7 \
--scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>
Create a cluster by specifying identity type as SystemAssigned, replacing
<subscriptionID>,<resourceGroupName>,<vnetName>, and<subnetName>with the appropriate values:subnet="/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>" cluster="thvankra-cmk-test-wcus" group="thvankra-nova-cmk-test" region="westcentralus" password="PlaceholderPassword" az managed-cassandra cluster create \ --identity-type SystemAssigned \ --resource-group $group \ --location $region \ --cluster-name $cluster \ --delegated-management-subnet-id $subnet \ --initial-cassandra-admin-password $passwordGet the identity information of the created cluster
az managed-cassandra cluster show -c $cluster -g $groupThe output will include an identity section like the below. Copy
principalIdfor later use:"identity": { "principalId": "1aa51c7f-196a-4013-a656-1ccabfdc54e0", "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "type": "SystemAssigned" }In Azure Key Vault, create an access policy to your keys:
Assign
get,wrapandunwrapkey permissions on the key vault to the cluster'sprincipalIdretrieved above. In the portal, you can also look up the Principal ID of the cluster by the cluster's name:
Warning
Make sure the key vault has Purge Protection enabled. Datacenter deployments will fail without it.
After you click on
addto add the access policy, make sure you save it:
To get the key identifier, select your key:
Click on current version:
Save the key identifier for later use:
Create the datacenter by replacing
<key identifier>with the same key (the uri you copied in previous step) for both managed disk (managed-disk-customer-key-uri) and backup storage (backup-storage-customer-key-uri) encryption as shown below (use the same value forsubnetyou used earlier):managedDiskKeyUri = "<key identifier>" backupStorageKeyUri = "<key identifier>" group="thvankra-nova-cmk-test" region="westcentralus" cluster="thvankra-cmk-test-2" dc="dc1" nodecount=3 subnet="/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>" az managed-cassandra datacenter create \ --resource-group $group \ --cluster-name $cluster \ --data-center-name $dc \ --managed-disk-customer-key-uri $managedDiskKeyUri \ --backup-storage-customer-key-uri $backupStorageKeyUri \ --node-count $nodecount \ --delegated-subnet-id $subnet \ --data-center-location $region \ --sku Standard_DS14_v2An existing cluster with no identity information can be assigned an identity as shown below:
az managed-cassandra cluster update --identity-type SystemAssigned -g $group -c $cluster
Rotating the key
Below is the command to update the key:
managedDiskKeyUri = "<key identifier>" backupStorageKeyUri = "<key identifier>" az managed-cassandra datacenter update \ --resource-group $group \ --cluster-name $cluster \ --data-center-name $dc \ --managed-disk-customer-key-uri $managedDiskKeyUri \ --backup-storage-customer-key-uri $backupStorageKeyUri