I have a key vault present in subscription A I want to use it for the VMs present in subscription B. How can we achieve this goal.

Hello @Aditya Vashisth The only limitation you would have is one set by yourself with permissions. Azure does not place any restrictions on you accessing keys in a different subscription within the same tenant. Follow the steps here and create your key vault in Subscription A and the VM in Subscription B. https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal If you are wanting to use Key Vault across tenants, then read the documentation here to find which scenarios best suits your requirements, https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/key-vault kind regards Alistair

How I can use CMKs from a key vault from one subscription for the VMs in another subscription

Accepted answer

Alistair Ross 7,106 Reputation points Microsoft Employee

2023-06-19T09:41:48.71+00:00

Hello @Aditya Vashisth

The only limitation you would have is one set by yourself with permissions. Azure does not place any restrictions on you accessing keys in a different subscription within the same tenant.

Follow the steps here and create your key vault in Subscription A and the VM in Subscription B. https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal

If you are wanting to use Key Vault across tenants, then read the documentation here to find which scenarios best suits your requirements, https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/key-vault

kind regards

Alistair
Please sign in to rate this answer.
JamesTran-MSFT 36,491 Reputation points Microsoft Employee

2023-06-20T19:40:31.6+00:00

@Aditya Vashisth

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Aditya Vashisth 25 Reputation points

2023-06-21T03:33:13.2833333+00:00

Hi James, thanks for the documentation. Actually in the documentation as well it says for the same subscription. I have created key vault in sub A and disk encryption set in sub B. I have associated the key from keyvault of sub A to the disk encryption set in sub B. But I cant find my disk encryption set option while Im trying to encrypt the disk of VM in sub B. What could be the possible issues.

Alistair Ross 7,106 Reputation points Microsoft Employee

2023-06-21T11:02:56.1066667+00:00

Your disk encryption set, VM, disks, and snapshots must all be in the same region and subscription for deployment to succeed. Azure Key Vaults may be used from a different subscription but must be in the same region and tenant as your disk encryption set. Can you confirm that this is the case in your environment?

Aditya Vashisth 25 Reputation points

2023-06-27T06:50:02.17+00:00

I have created a key vault in subscription A, I have used Key vault access policies to create it. I have created a key in that key vault. Now Im creating a Disk Encryption Set in Subscription B (the region is as same as key vault). Im still not able to attach the key vault to that Disk Encryption set in subscription B.

Aditya Vashisth 25 Reputation points

2023-06-27T06:51:00.0833333+00:00

Also is there anything I need to provide to additional access to key vault access policies to get that vault in available in another subscription?

Alistair Ross 7,106 Reputation points Microsoft Employee

2023-06-27T08:49:04.3+00:00

Are you trying to select the key vault from the drop down? You will need to use the Key URI instead as you won't be able to select a key vault in a different subscription in the UI

Aditya Vashisth 25 Reputation points

2023-06-27T16:02:48.4166667+00:00

Yes it worked from the URI. But now the deployment is not getting successful for Disk Encryption Set. It says the below error:
The resource write operation failed to complete successfully, because it reached terminal provisioning state "Failed".

Aditya Vashisth 25 Reputation points

2023-06-27T16:18:21.6733333+00:00

Now Im able to. It was syntax error from my end only. Thank you so much for your help.

Aditya Vashisth 25 Reputation points

2023-06-27T16:37:07.47+00:00

It worked, Thanks

JamesTran-MSFT 36,491 Reputation points Microsoft Employee

2023-06-27T17:13:13.61+00:00

@Aditya Vashisth

Thank you for following up on this and I'm glad that @Alistair Ross was able to help point you in the right direction to resolve your issue!

Thank you for your time and patience throughout this.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Aditya Vashisth 25 Reputation points

2023-06-27T17:23:05.6266667+00:00

Sure.
Sign in to comment

Share via

How I can use CMKs from a key vault from one subscription for the VMs in another subscription

0 additional answers