Reputation: 588
How to encrypt Azure Data Factory with CMK (customer managed key)
Parameters.json
"parameters": {
"dataFactoryName": { "type": "string", "metadata": { "description": "Name of the data factory. Name must be globally unique" } },
"resourceTags": { "type": "object" },
"diagnosticSettingsStorageAccount": { "type": "string", "metadata": { "description": "Resource ID of the storage account used to store diagnostic logs" } },
"cmkIdentity": {
"type": "string"
},
"vaultBaseUrl": {
"type": "string"
},
"keyName": {
"type": "string"
},
"keyVersion": {
"type": "string"
}
},
Template.json
{
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"name": "[parameters('dataFactoryName')]",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"identity": {
"type": "SystemAssigned,UserAssigned",
"userAssignedIdentities": {"[parameters('cmkIdentity')]": {}}},
"properties": {
"publicNetworkAccess": "Disabled",
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkIdentity')]"
},
"vaultBaseUrl": "[parameters('vaultBaseUrl')]",
"keyName": "[parameters('keyName')]",
"keyVersion": "[parameters('keyVersion')]"
}
},
"dependsOn": ["[resourceId('Microsoft.OperationalInsights/workspaces',variables('workspaceName'))]"]
},
I am passing these values in:
cmkIdentity: "/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity"
vaultBaseUrl: https://testkeyvault123.vault.azure.net/
keyName: test-key
keyVersion: t5dca2a5xxxxx399we5
The Validation passes and the Data Factory is deployed. I can see the test-identity in the Managed Identity section. But when I open the Data Factory's UI and navigate to Manage and in Customer managed key I don't see anything. All fields are empty, see picture below:
Provided access policy to test-identity to the test key vault. Can't figure out what the problem is.
UPDATED parameters and template
parameters
"parameters": {
"dataFactoryName": { "type": "string", "metadata": { "description": "Name of the data factory. Name must be globally unique" } },
"resourceTags": { "type": "object" },
"diagnosticSettingsStorageAccount": { "type": "string", "metadata": { "description": "Resource ID of the storage account used to store diagnoistic logs" } },
"cmkIdentity": {
"type": "object",
"defaultValue": {
"/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
}
}
},
"vaultBaseUrl": {
"type": "string"
},
"keyName": {
"type": "string"
},
"keyVersion": {
"type": "string"
}
},
template.json
{
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"name": "[parameters('dataFactoryName')]",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"identity": {
"type": "SystemAssigned,UserAssigned",
"principalId": "",
"tenantId": "",
"userAssignedIdentities": "[parameters('cmkIdentity')]"
},
"properties": {
"publicNetworkAccess": "Disabled",
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkIdentity')]"
},
"vaultBaseUrl": "[parameters('vaultBaseUrl')]",
"keyName": "[parameters('keyName')]",
"keyVersion": "[parameters('keyVersion')]"
}
},
"dependsOn": ["[resourceId('Microsoft.OperationalInsights/workspaces',variables('workspaceName'))]"]
},
Upvotes: 0
Views: 471
Answers (1)
Reputation: 1450
I have tried doing it both the ways via json template and even through portal works fine, just to have another parameter which is object type as below:
Updated Info : Please add a new parameter as an cmkidentity_obj which is type: object and have the other parameter cmkidentity as type: string
and pass the string in :
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkidentity')]"
},
"VaultBaseUrl": "[parameters('dataFactory_properties_encryption_VaultBaseUrl')]",
"KeyName": "[parameters('dataFactory_properties_encryption_KeyName')]",
"KeyVersion": "[parameters('dataFactory_properties_encryption_KeyVersion')]"
}
Parameter- cmkidentity_obj abd pass it in below template.json :
"cmkidentity_obj": {
"type": "object",
"defaultValue": {
"/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
}
}
}
and then passed this object in my template.json :
"identity": {
"type": "[parameters('dataFactory_identity_type')]",
"principalId": "",
"tenantId": "",
"userAssignedIdentities": "[parameters('cmkidentity_obj')]"
}
This deployed successfully with about any error and was able to view my Customer Managed Key in Azure Data Factory(UI), kindly try the same and see.
My Template.json:
"resources": [
{
"name": "[parameters('factoryName')]",
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"properties": {
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkidentity')]"
},
"VaultBaseUrl": "[parameters('dataFactory_properties_encryption_VaultBaseUrl')]",
"KeyName": "[parameters('dataFactory_properties_encryption_KeyName')]",
"KeyVersion": "[parameters('dataFactory_properties_encryption_KeyVersion')]"
}
},
"dependsOn": [],
"location": "[parameters('dataFactory_location')]",
"identity": {
"type": "[parameters('dataFactory_identity_type')]",
"principalId": "",
"tenantId": "",
"userAssignedIdentities": "[parameters('cmkIdentity_obj')]"
}
}
]
Upvotes: 1
Related Questions
- Setting Transparent Data Encryption on Azure SQL DB using an ARM Template
- Create Key Vault certificate using ARM template
- Not able to apply CMK encryption to Azure Storage Account through ARM Template
- is there a way to add encryption (CMK-Customer Managed Keys) and Vnet integration to Azure Speech service (Cognitive) through ARM template
- Can we enable encryption through CMK customer managed keys for Azure Data factory via ARM Tempalate?
- Azure Data Factory V2 + Key Vault
- ARM Deployment using KeyVault and certificates for Azure Data Lake Store
- Using secret from Azure KeyVault in Azure ARM Template
- ARM Template with Key Vault certificate
- Create Storage Service Encryption ARM template with Customer managed key