[Feature]: Replace pull default SKR policy from github with MAA Service Discovery API and Policy template #24601
Labels
feature-request
This issue requires a new behavior in the product in order be resolved.
Tracking
We will track status and follow internally
Description of the new feature
Today default CVM SKR Policy is pull from a public Github repo
https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json
. This will hit performance issue with the expanding default policy file and also raising security concerns.
We have decided to replace the current implementation with MAA Service Discovery API to get regional default provider and fill it in the template as following:
The service discovery API from MAA:
Here is a reference application in Azure Powershell for default provider by location
This REST API is call to ARM, so all that's required is an Azure subscription and an identity (e.g., user, service principal, MSI identity, etc.) with RBAC permissions to access that subscription's resources.
The current implementation in the repo:
azure-powershell/src/KeyVault/KeyVault/Commands/Key/AddAzureKeyVaultKey.cs
Line 77 in 37badb2
Proposed implementation details (optional)
For mooncake, Fairfax, USNAT and USSec the API part
/subscriptions/{your_subscription}/providers/Microsoft.Attestation/Locations/{your_location}/defaultProvider?api-version=2020-10-01
remain the same. But the arm endpoint
https://management.azure.com/
will be different (see below),The text was updated successfully, but these errors were encountered: