diff --git a/src/Sql/Sql/Common/TdeKeyHelper.cs b/src/Sql/Sql/Common/TdeKeyHelper.cs
index 6ecbc60f129d..51eaf3ba535e 100644
--- a/src/Sql/Sql/Common/TdeKeyHelper.cs
+++ b/src/Sql/Sql/Common/TdeKeyHelper.cs
@@ -30,7 +30,9 @@ class TdeKeyHelper
///
/// Creates the SQL Server Key Name from an Azure Key Vault KeyId
/// Throws an exception if the provided KeyId is malformed.
- /// An example of a well formed Azure Key Vault KeyId is: https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901
+ /// Examples of well formed Azure Key Vault KeyIds are:
+ /// https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901 (versioned)
+ /// https://YourVaultName.vault.azure.net/keys/YourKeyName (versionless)
///
/// The full Azure Key Vault KeyId
/// The Server Key Name for the provided KeyId
@@ -41,8 +43,8 @@ public static string CreateServerKeyNameFromKeyId(string keyId)
return ServerKeyType.ServiceManaged.ToString();
}
- // Validate that the url is a keyvault url and has a key and version
- Regex r = new Regex(@"https://(.)+\.(managedhsm.azure.net|managedhsm-preview.azure.net|vault.azure.net|vault-int.azure-int.net|vault.azure.cn|managedhsm.azure.cn|vault.usgovcloudapi.net|managedhsm.usgovcloudapi.net|vault.microsoftazure.de|managedhsm.microsoftazure.de|vault.cloudapi.eaglex.ic.gov|vault.cloudapi.microsoft.scloud)(:443)?\/keys/[^\/]+\/[0-9a-zA-Z]+$", RegexOptions.IgnoreCase);
+ // Validate that the url is a keyvault url and has a key with an optional version
+ Regex r = new Regex(@"^https://(.)+\.(managedhsm\.azure\.net|managedhsm-preview\.azure\.net|vault\.azure\.net|vault-int\.azure-int\.net|vault\.azure\.cn|managedhsm\.azure\.cn|vault\.usgovcloudapi\.net|managedhsm\.usgovcloudapi\.net|vault\.microsoftazure\.de|managedhsm\.microsoftazure\.de|vault\.cloudapi\.eaglex\.ic\.gov|vault\.cloudapi\.microsoft\.scloud|mdep\.azure\.net)(:443)?/keys/[^/]+(/([0-9a-zA-Z]+))?/?$", RegexOptions.IgnoreCase);
if (!r.IsMatch(keyId))
{
// Throw an error here, since we don't want to use a non keyvault url
@@ -53,10 +55,17 @@ public static string CreateServerKeyNameFromKeyId(string keyId)
var uri = new Uri(keyId);
string vault = uri.Host.Split('.').First();
- string key = uri.Segments[2].TrimEnd('/');
- string version = uri.Segments.Last();
+ string[] pathSegments = uri.AbsolutePath.Trim('/').Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+ string key = pathSegments[1];
+ bool hasVersion = pathSegments.Length >= 3 && !string.IsNullOrEmpty(pathSegments[2]);
- return String.Format("{0}_{1}_{2}", vault, key, version);
+ if (hasVersion)
+ {
+ string version = pathSegments[2];
+ return String.Format("{0}_{1}_{2}", vault, key, version);
+ }
+
+ return String.Format("{0}_{1}", vault, key);
}
}
}
diff --git a/src/Sql/Sql/Properties/Resources.Designer.cs b/src/Sql/Sql/Properties/Resources.Designer.cs
index dafe81f71706..939e4c636742 100644
--- a/src/Sql/Sql/Properties/Resources.Designer.cs
+++ b/src/Sql/Sql/Properties/Resources.Designer.cs
@@ -709,7 +709,7 @@ internal static string InvalidGraphEndpoint {
}
///
- /// Looks up a localized string similar to Invalid parameter format for keyId: '{0}'. It should be a well formed Azure Key Vault KeyId like: https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901.
+ /// Looks up a localized string similar to Invalid parameter format for keyId: '{0}'. It should be a well formed Azure Key Vault KeyId such as https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901 (versioned) or https://YourVaultName.vault.azure.net/keys/YourKeyName (versionless).
///
internal static string InvalidKeyId {
get {
diff --git a/src/Sql/Sql/Properties/Resources.resx b/src/Sql/Sql/Properties/Resources.resx
index 2f21b723df37..f9757a9925cf 100644
--- a/src/Sql/Sql/Properties/Resources.resx
+++ b/src/Sql/Sql/Properties/Resources.resx
@@ -454,7 +454,7 @@
KeyId parameter is required for encryption protector type AzureKeyVault
- Invalid parameter format for keyId: '{0}'. It should be a well formed Azure Key Vault KeyId like: https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901
+ Invalid parameter format for keyId: '{0}'. It should be a well formed Azure Key Vault KeyId such as https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901 (versioned) or https://YourVaultName.vault.azure.net/keys/YourKeyName (versionless).
Setting Azure Sql Database Managed Instance '{0}'.
@@ -778,4 +778,4 @@
SoftDeleteRetentionDays must be between 1 and 35 when EnableSoftDelete is true.
-
\ No newline at end of file
+
diff --git a/src/Sql/Sql/help/Add-AzSqlServerKeyVaultKey.md b/src/Sql/Sql/help/Add-AzSqlServerKeyVaultKey.md
index fe60bc06dd79..df81e0b8328d 100644
--- a/src/Sql/Sql/help/Add-AzSqlServerKeyVaultKey.md
+++ b/src/Sql/Sql/help/Add-AzSqlServerKeyVaultKey.md
@@ -38,7 +38,7 @@ Thumbprint : 1122334455667788990011223344556677889900
CreationDate : 1/1/2017 12:00:00 AM
```
-This command adds the Key Vault key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' to the SQL server named 'ContosoServer' in the resource group 'ContosoResourceGroup'.
+This command adds the Key Vault key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' to the SQL server named 'ContosoServer' in the resource group 'ContosoResourceGroup'. Versionless key IDs, for example 'https://contoso.vault.azure.net/keys/contosokey', are also supported.
## PARAMETERS
diff --git a/src/Sql/Sql/help/Get-AzSqlServerKeyVaultKey.md b/src/Sql/Sql/help/Get-AzSqlServerKeyVaultKey.md
index 20b97a1ed694..d82cc39b210b 100644
--- a/src/Sql/Sql/help/Get-AzSqlServerKeyVaultKey.md
+++ b/src/Sql/Sql/help/Get-AzSqlServerKeyVaultKey.md
@@ -53,7 +53,7 @@ $MyServerKeyVaultKey = Get-AzSqlServerKeyVaultKey -KeyId 'https://contoso.vault.
```
This command gets the Key Vault key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901', and then stores it in the $MyServerKeyVaultKey variable.
-You can inspect the properties of $MyServerKeyVaultKey to get details about the key vault.
+You can inspect the properties of $MyServerKeyVaultKey to get details about the key vault. Versionless key IDs, for example 'https://contoso.vault.azure.net/keys/contosokey', are also supported.
## PARAMETERS
diff --git a/src/Sql/Sql/help/Set-AzSqlServerTransparentDataEncryptionProtector.md b/src/Sql/Sql/help/Set-AzSqlServerTransparentDataEncryptionProtector.md
index 6be93eb3a359..697a746ccaa3 100644
--- a/src/Sql/Sql/help/Set-AzSqlServerTransparentDataEncryptionProtector.md
+++ b/src/Sql/Sql/help/Set-AzSqlServerTransparentDataEncryptionProtector.md
@@ -48,7 +48,7 @@ ResourceGroupName ServerName Type ServerKeyVaultKeyName
ContosoResourceGroup ContosoServer AzureKeyVault contoso_contosokey_01234567890123456789012345678901
```
-This command updates a server to use the Server Key Vault Key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' as the TDE protector.
+This command updates a server to use the Server Key Vault Key with Id 'https://contoso.vault.azure.net/keys/contosokey/01234567890123456789012345678901' as the TDE protector. You can also specify a versionless key, for example 'https://contoso.vault.azure.net/keys/contosokey'.
### Example 3
@@ -123,7 +123,7 @@ Accept wildcard characters: False
```
### -KeyId
-The Azure Key Vault KeyId.
+The Azure Key Vault KeyId. Supports versioned and versionless key IDs.
```yaml
Type: System.String