Skip to content

Support changes for ConfidentialVMv2 #31881

New issue
New issue
Closed
#31934
Closed
Support changes for ConfidentialVMv2#31881
#31934
Assignees
zhoxing-msyanzhudd
Labels
Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamComputeaz vm/vmss/image/disk/snapshotPossible-SolutionSimilar-Issuefeature-request
Milestone
September 2025 (2025-09-02)
@linuxelf001

Description

@linuxelf001
linuxelf001
opened on Jul 28, 2025

Preconditions

  • No need to upgrade Python SDK or the Python SDK is ready.

Related command

az disk create
az disk grant-access

Resource Provider

Microsoft.Compute/disks, Microsoft.Compute/snapshots

Description of Feature or Work Requested

Feature request to add output value, new parameter for following commands to support Confidential VM OS Disks

az disk create
az disk grant-access

Feature request is to provide customers with Confidential VM disk management:

Import managed OS disk for Confidential VM with an additional attribute in the request - securityMetadataUri
Export managed OS disk for Confidential VM returns an additional attribute in the response - securityMetadataAccessSAS

  1. az disk create

    New Parameter
    --security-metadata-uri
    New string parameter --security-metadata-uri for command az disk create:

    Allows customer to pass Blob URI for VM Metadata VHD.
    When specified, the command should interpret that disk will be imported from un-managed VHD in storage account or another managed disk for Confidential VM OS Disk Security Type.
    This is the URI of a blob to be imported into VM metadata.

  2. az disk grant-access

    Output would show additional securityMetadataAccessSAS in response.

Examples:

  1. Secure Import of Confidential VM OS Disk
    Create disk with --security-metadata-uri parameter:

    az disk create -n $diskName -g $resourceGroup
    -l $location --os-type Windows --hyper-v-generation V2
    --security-type "ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey"
    --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri --security-metadata-uri $metadataDiskVhdUri \
    --sku standard_lrs

  2. Export of Confidential VM OS Disk

    Grant access to generate accessSas, securityDataAccessSAS, securityMetadataAccessSAS using --secure-vm-guest-state-sas parameter

    diskSas = $(az disk grant-access -n $diskName -g $resourceGroupName
    --access-level Write --duration-in-seconds 86400
    --secure-vm-guest-state-sas)

    Returned value schema:

     {
    "accessSas": "https://md-impexp-t0rdsfgsdfg4.blob.core.windows.net/w2c3mj0ksfgl/abcd?sv=2017-04-17&sr=b&si=600a9281-d39e-4cc3-91d2-923c4a696537&sig=xXaT6mFgf139ycT87CADyFxb%2BnPXBElYirYRlbnJZbs%3D",
     "securityDataAccessSAS": "VM Guest State Sas URI"
     "securityMetadataAccessSAS": "VM Metadata Sas URI"
   }

Minimum API Version Required

2025-01-02

Swagger PR link / SDK link

Azure/azure-rest-api-specs#35011

Request Example

No response

Target Date

2025-09-02

PM Contact

raginjup, geg, runcai

Engineer Contact

aayushkher, raharwadekar

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamComputeaz vm/vmss/image/disk/snapshotPossible-SolutionSimilar-Issuefeature-request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions