You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-fluid-relay/concepts/customer-managed-keys.md
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,15 +32,14 @@ Before configuring CMK on your Azure Fluid Relay resource, the following prerequ
32
32
- A user assigned managed identity must be created with necessary permission (GET, WRAP and UNWRAP) to the key vault in step 1. More information [here](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad.md). Grant GET, WRAP and UNWRAP under Key Permissions in AKV.
33
33
- Azure Key Vault, user assigned identity, and the Fluid Relay resource must be in the same region and in the same Microsoft Entra tenant.
34
34
- The Key Vault and the key must remain active for the entire lifetime of your Fluid Relay resources.
35
-
-**Do NOT** delete or disable the key vault or the key until all associated Fluid Relay services have been deleted.
36
-
Otherwise, your Fluid Relay resource will enter an **unusable state**. In this case, please [recover your key or key vault](/azure/key-vault/general/key-vault-recovery?tabs=azure-portal).
37
-
Azure Fluid Relay cannot recover your key or key vault, as they are fully managed by you (the client).
35
+
-**Do NOT** delete or disable the key vault or the key until all associated Fluid Relay services are deleted.
36
+
Otherwise, your Fluid Relay resource enters an **unusable state**. In this case, you need to [recover your key or key vault](/azure/key-vault/general/key-vault-recovery?tabs=azure-portal) first.
38
37
- If you provide the key URL with a specific key version, **only that version** is used for CMK purposes.
39
38
If you later add a new key version, you must **manually** update the key URL in the CMK settings of the Fluid Relay resource to make the new version effective.
40
39
The Fluid Relay service fails if the specified key version is deleted or disabled without updating the resource to use a valid version.
41
40
- To allow the Fluid Relay service to automatically use the latest key version of the key from your key vault, you can omit the key version in the encryption key URL. This setting makes Fluid Relay Service's storage dependency to check the key vault daily for a new version of the customer-managed key and automatically updates the key to the latest version.
42
41
However, you are still responsible for managing and rotating key versions in your Key Vault.
43
-
- Due to resource limitations, switching to this auto-update setting may fail. If that happens, please specify a key version explicitly and perform a manual update on your Fluid Relay resource for new [key](/azure/key-vault/keys/about-keys) versions.
42
+
- Due to resource limitations, switching to this auto-update setting may fail. If that happens, specify a key version explicitly and perform a manual update on your Fluid Relay resource for new [key](/azure/key-vault/keys/about-keys) versions.
44
43
45
44
46
45
## Create a Fluid Relay resource with CMK
@@ -149,7 +148,7 @@ You cannot disable CMK on existing Fluid Relay resource once it is enabled.
149
148
150
149
Before updating the key encryption key (by identifier or version), ensure that **the previous key version is still enabled and has not expired in your key vault**. Otherwise, the update operation fails.
151
150
152
-
When using the update command, you may specify only the parameters that have changed—unchanged arguments can be omitted.
151
+
When using the update command, you may specify only the parameters that are changed—unchanged arguments can be omitted.
153
152
154
153
All updates must satisfy the [prerequisites](#prerequisites) described in this page.
0 commit comments