You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/postgresql/flexible-server/concepts-data-encryption.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,8 +64,10 @@ For a PostgreSQL server to use CMKs stored in Key Vault for encryption of the DE
64
64
65
65
The Key Vault administrator can also [enable logging of Key Vault audit events](../../key-vault/general/howto-logging.md?tabs=azure-cli), so they can be audited later.
66
66
67
+
Alternative to *access rights* assignment , as explained above, you can create a new Azure RBAC role assignment with the role [Key Vault Crypto Service Encryption User](../../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations).
68
+
67
69
> [!IMPORTANT]
68
-
> Not providing the preceding access rights to a managed identity for access to Key Vault might result in failure to fetch an encryption key and failure to set up the CMK feature.
70
+
> Not providing the preceding access rights or RBAC assignment to a managed identity for access to Key Vault might result in failure to fetch an encryption key and failure to set up the CMK feature.
69
71
70
72
When you configure the server to use the CMK stored in Key Vault, the server sends the DEK to Key Vault for encryption. Key Vault returns the encrypted DEK stored in the user database. When necessary, the server sends the protected DEK to Key Vault for decryption. Auditors can use Azure Monitor to review Key Vault audit event logs, if logging is turned on.
71
73
@@ -85,7 +87,7 @@ Here are requirements for configuring Key Vault:
85
87
86
88
- Enable purge protection to enforce a mandatory retention period for deleted vaults and vault objects.
87
89
88
-
- Grant the Azure Database for PostgreSQL flexible server instance access to Key Vault with the **get**, **list**, **wrapKey**, and **unwrapKey** permissions, by using its unique managed identity.
90
+
- Grant the Azure Database for PostgreSQL flexible server instance access to Key Vault with the **get**, **list**, **wrapKey**, and **unwrapKey** permissions, by using its unique managed identity. Alternatively, create a new Azure RBAC role assignment with the role **[Key Vault Crypto Service Encryption User](../../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations)** for the managed identity.
89
91
90
92
Here are requirements for configuring the CMK in Azure Database for PostgreSQL flexible server:
91
93
@@ -170,7 +172,7 @@ Some of the reasons why the server state becomes **Inaccessible** are:
170
172
171
173
- If you delete the Key Vault instance, the Azure Database for PostgreSQL flexible server instance can't access the key and moves to an **Inaccessible** state. To make the server **Available**, [recover the Key Vault instance](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption.
172
174
- If you delete the key from Key Vault, the Azure Database for PostgreSQL flexible server instance can't access the key and moves to an **Inaccessible** state. To make the server **Available**, [recover the key](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption.
173
-
- If you delete, from Microsoft Entra ID, a [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) that's used to retrieve a key from Key Vault, the Azure Database for PostgreSQL flexible server instance can't access the key and moves to an **Inaccessible** state. To make the server **Available**, [recover the identity](../../active-directory/fundamentals/recover-from-deletions.md) and revalidate data encryption.
175
+
- If you delete, from Microsoft Entra ID, a [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) that's used to retrieve a key from Key Vault, or by delete Azure RBAC role assignment with the role [Key Vault Crypto Service Encryption User](../../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations). the Azure Database for PostgreSQL flexible server instance can't access the key and moves to an **Inaccessible** state. To make the server **Available**, [recover the identity](../../active-directory/fundamentals/recover-from-deletions.md) and revalidate data encryption.
174
176
- If you revoke the Key Vault **list**, **get**, **wrapKey**, and **unwrapKey** access policies from the [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) that's used to retrieve a key from Key Vault, the Azure Database for PostgreSQL flexible server instance can't access the key and moves to an **Inaccessible** state. [Add required access policies](../../key-vault/general/assign-access-policy.md) to the identity in Key Vault.
175
177
- If you set up overly restrictive Key Vault firewall rules, Azure Database for PostgreSQL flexible server can't communicate with Key Vault to retrieve keys. When you configure a Key Vault firewall, be sure to select the option to allow [trusted Microsoft services](../../key-vault/general/overview-vnet-service-endpoints.md#trusted-services) to bypass the firewall.
0 commit comments