Skip to content

Commit e52eff4

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #212706 from seesharprun/revise-cmk-article-cosmos
Cosmos DB | PM review and copy-edit of customer-managed-keys article
2 parents cf6ee15 + 09abaf3 commit e52eff4

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

articles/cosmos-db/how-to-setup-cross-tenant-customer-managed-keys.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,14 +97,17 @@ az provider register \
9797
9898
Up to this point, you've configured the multi-tenant application on the service provider's tenant. You've also installed the application on the customer's tenant and configured the key vault and key on the customer's tenant. Next you can create an Azure Cosmos DB account on the service provider's tenant and configure customer-managed keys with the key from the customer's tenant.
9999

100-
You must use an existing user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys while creating the Azure Cosmos DB account. The user-assigned managed identity must have appropriate permissions to access the key vault. As the key vault is on another tenant, we'll use the multi tenant application created previously and register the user assigned managed identity as a federated identity of this multi-tenant application. For more information, see the [Phase 3 - The service provider encrypts data in an Azure resource using the customer-managed key](#phase-3---the-service-provider-encrypts-data-in-an-azure-resource-using-the-customer-managed-key) section of this article.
100+
When creating an Azure Cosmos DB account with customer-managed keys, we must ensure that it has access to the keys the customer used. In single-tenant scenarios, either give direct key vault access to the Azure Cosmos DB principal or use a specific managed identity. In a cross-tenant scenario, we can no longer depend on direct access to the key vault as it is in another tenant managed by the customer. This constraint is the reason in the previous sections we created a cross-tenant application and registered a managed identity inside the application to give it access to the customer's key vault. This managed identity, coupled with the cross-tenant application ID, is what we'll use when creating the cross-tenant CMK Azure Cosmos DB Account. For more information, see the [Phase 3 - The service provider encrypts data in an Azure resource using the customer-managed key](#phase-3---the-service-provider-encrypts-data-in-an-azure-resource-using-the-customer-managed-key) section of this article.
101101

102102
Whenever a new version of the key is available in the key vault, it will be automatically updated on the Azure Cosmos DB account.
103103

104104
## Using Azure Resource Manager JSON templates
105105

106106
Deploy an ARM template with the following specific parameters:
107107

108+
> [!NOTE]
109+
> If you are recreating this sample in one of your Azure Resource Manager templates, use an `apiVersion` of `2022-05-15`.
110+
108111
| Parameter | Description | Example value |
109112
| --- | --- | --- |
110113
| `keyVaultKeyUri` | Identifier of the customer-managed key residing in the service provider's key vault. | `https://my-vault.vault.azure.com/keys/my-key` |

0 commit comments

Comments
 (0)