Skip to content

Commit 887c05f

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #292574 from zhiyuanliang-ms/zhiyuanliang/update-cmk
Azure App Configuration - Add guidance for using user-assigned identity
2 parents 733b4ee + cbae3ae commit 887c05f

File tree

1 file changed

+8
-0
lines changed

1 file changed

+8
-0
lines changed

articles/azure-app-configuration/concept-customer-managed-keys.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,9 @@ After these resources are configured, use the following steps so that the Azure
7878
}
7979
```
8080
81+
> [!NOTE]
82+
> To create a user-assigned managed identity, follow this [tutorial](./overview-managed-identity.md#adding-a-user-assigned-identity).
83+
8184
1. The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption, and decryption. The specific set of actions to which it needs access includes: `GET`, `WRAP`, and `UNWRAP` for keys. These permissions can be granted by assigning the `Key Vault Crypto Service Encryption User` role for Azure RBAC enabled Key Vaults. For Key Vaults using access policy authorization, set the policy for the aforementioned key permissions. Granting access requires the principal ID of the App Configuration instance's managed identity. Replace the value shown below as `contoso-principalId` with the principal ID obtained in the previous step. Grant permission to the managed key by using the command line:
8285
8386
### [Azure RBAC](#tab/azurerbac)
@@ -102,6 +105,11 @@ After these resources are configured, use the following steps so that the Azure
102105
az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name key-name --encryption-key-version key-version --encryption-key-vault key-vault-Uri
103106
```
104107
108+
The command uses system-assigned managed identity to authenticate with the key vault by default.
109+
110+
> [!NOTE]
111+
> When using a user-assigned managed identity to access the customer managed key, you can specify its client ID explicitly by adding `--identity-client-id <client ID of your user assigned identity>` to the command.
112+
105113
Your Azure App Configuration instance is now configured to use a customer-managed key stored in Azure Key Vault.
106114
107115
## Next Steps

0 commit comments

Comments
 (0)