[Feature]: SKR Policy Location #19984
Assignees
Labels
feature-request
This issue requires a new behavior in the product in order be resolved.
KeyVault
Tracking
We will track status and follow internally
Milestone
Comments
thaiolivia
added
feature-request
ghost
removed
the
needs-triage
|
Update: This is more urgent for PowerShell since public access of storage account blobs are listed as SEV1 concern |
1 task
|
please expect this feature supported in next release (Dec 6th). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the new feature
Today default CVM SKR Policy is stored as a blob in a test subscription - https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json
This is risky as anyone in the subscription can modify the file and cause CVM CMK scenario to fail. Currently, PowerShell reads from this storage account which we would like to avoid.
We have decided to shift the key release policy to GitHub which you can find here: https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json
We would like for skr-policy reference to point to this GitHub as well for PowerShell to store a local backup copy.
Proposed implementation details (optional)
Ideal implementation date is before the end of the quarter.
The text was updated successfully, but these errors were encountered: