You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-app-configuration/concept-customer-managed-keys.md
+16-2Lines changed: 16 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,9 @@ The following components are required to successfully enable the customer-manage
36
36
After these resources are configured, use the following steps so that the Azure App Configuration can use the Key Vault key:
37
37
38
38
1. Assign a managed identity to the Azure App Configuration instance.
39
-
1. Grant the identity `GET`, `WRAP`, and `UNWRAP` permissions in the target Key Vault's access policy.
39
+
1. Grant permissions to the identity to be able to access the Key Vault key.
40
+
* For Key Vault's with [Azure RBAC](../key-vault/general/rbac-guide.md) enabled, assign the identity the `Key Vault Crypto Service Encryption User` role on the target Key Vault.
41
+
* For Key Vault's using access policy authorization, grant the identity `GET`, `WRAP`, and `UNWRAP` permissions in the target Key Vault's access policy.
40
42
41
43
## Enable customer-managed key encryption for your App Configuration store
42
44
@@ -76,7 +78,19 @@ After these resources are configured, use the following steps so that the Azure
76
78
}
77
79
```
78
80
79
-
1. The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption, and decryption. The specific set of actions to which it needs access includes: `GET`, `WRAP`, and `UNWRAP` for keys. Granting access requires the principal ID of the App Configuration instance's managed identity. Replace the value shown below as `contoso-principalId` with the principal ID obtained in the previous step. Grant permission to the managed key by using the command line:
81
+
1. The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption, and decryption. The specific set of actions to which it needs access includes: `GET`, `WRAP`, and `UNWRAP` for keys. These permissions can be granted by assigning the `Key Vault Crypto Service Encryption User` role for Azure RBAC enabled Key Vaults. For Key Vaults using access policy authorization, set the policy for the aforementioned key permissions. Granting access requires the principal ID of the App Configuration instance's managed identity. Replace the value shown below as `contoso-principalId` with the principal ID obtained in the previous step. Grant permission to the managed key by using the command line:
82
+
83
+
### [Azure RBAC](#tab/azurerbac)
84
+
85
+
For Key Vaults with Azure RBAC enabled, use the following command.
86
+
87
+
```azurecli
88
+
az role assignment create --assignee contoso-principalId --role "Key Vault Crypto Service Encryption User" --scope key-vault-resource-id
89
+
```
90
+
91
+
### [Access Policy](#tab/accesspolicy)
92
+
93
+
For Key Vaults using access policy authorization, use the following command.
80
94
81
95
```azurecli
82
96
az keyvault set-policy -n contoso-vault --object-id contoso-principalId --key-permissions get wrapKey unwrapKey
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments