You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-fluid-relay/concepts/customer-managed-keys.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,12 +31,16 @@ Before configuring CMK on your Azure Fluid Relay resource, the following prerequ
31
31
- Keys must be RSA key and not EC key since EC key doesn’t support WRAP and UNWRAP.
32
32
- A user assigned managed identity must be created with necessary permission (GET, WRAP and UNWRAP) to the key vault in step 1. More information [here](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad.md). Grant GET, WRAP and UNWRAP under Key Permissions in AKV.
33
33
- Azure Key Vault, user assigned identity, and the Fluid Relay resource must be in the same region and in the same Microsoft Entra tenant.
34
+
- The Key Vault and the key must remain active for the entire lifetime of your Fluid Relay resources.
35
+
-**Do NOT** delete or disable the key vault or the key until all associated Fluid Relay services have been deleted.
36
+
Otherwise, your Fluid Relay resource will enter an **unusable state**. In this case, please [recover your key or key vault](/azure/key-vault/general/key-vault-recovery?tabs=azure-portal).
37
+
Azure Fluid Relay cannot recover your key or key vault, as they are fully managed by you (the client).
34
38
- If you provide the key URL with a specific key version, **only that version** is used for CMK purposes.
35
39
If you later add a new key version, you must **manually** update the key URL in the CMK settings of the Fluid Relay resource to make the new version effective.
36
40
The Fluid Relay service fails if the specified key version is deleted or disabled without updating the resource to use a valid version.
37
41
- To allow the Fluid Relay service to automatically use the latest key version of the key from your key vault, you can omit the key version in the encryption key URL. This setting makes Fluid Relay Service's storage dependency to check the key vault daily for a new version of the customer-managed key and automatically updates the key to the latest version.
38
42
However, you are still responsible for managing and rotating key versions in your Key Vault.
39
-
>Due to resource limitations, switching to this auto-update setting may fail. If that happens, please specify a key version explicitly and perform a manual update on your Fluid Relay resource for new [key](/azure/key-vault/keys/about-keys) versions.
43
+
- Due to resource limitations, switching to this auto-update setting may fail. If that happens, please specify a key version explicitly and perform a manual update on your Fluid Relay resource for new [key](/azure/key-vault/keys/about-keys) versions.
40
44
41
45
42
46
## Create a Fluid Relay resource with CMK
@@ -90,7 +94,7 @@ You need to install [Azure Fluid Relay module](/powershell/module/az.fluidrelay)
90
94
Install-Module Az.FluidRelay
91
95
```
92
96
93
-
And make sure you complete all the prerequsite steps.
97
+
And make sure you complete all the prerequisite steps.
94
98
95
99
Example of creating a Fluid Relay Service with CMK enabled:
96
100
```azurepowershell
@@ -111,7 +115,7 @@ For more information about the command, see [New-AzFluidRelayServer](/powershell
111
115
### [Azure CLI](#tab/azure-cli)
112
116
To create Fluid Relay with CMK enabled using Azure CLI, you need to install [fluid-relay](/cli/azure/fluid-relay) extension first. See [instructions](/cli/azure/azure-cli-extensions-overview).
113
117
114
-
And make sure you complete all the [prerequsite](#prerequisites) steps.
118
+
And make sure you complete all the [prerequisite](#prerequisites) steps.
115
119
116
120
Example of creating a Fluid Relay Service with CMK enabled:
0 commit comments