| title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.topic |
|---|---|---|---|---|---|---|---|---|
Create and manage with data encrypted by customer managed keys using Azure REST API |
Create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys using Azure REST API. |
gennadNY |
gennadyk |
maghan |
04/27/2024 |
postgresql |
flexible-server |
how-to |
Create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys (CMK) using Azure REST API
[!INCLUDE applies-to-postgresql-flexible-server]
In this article, you learn how to create an Azure Database for PostgreSQL flexible server instance with data encrypted by customer managed keys (CMK) by using the Azure REST API. For more information on encryption with Customer Managed Keys (CMK), see overview.
Prerequisites:
- You must have an Azure subscription and be an administrator on that subscription.
- Azure managed identity in region where the Azure Database for PostgreSQL flexible server instance will be created.
- Key Vault with key in region where the Azure Database for PostgreSQL flexible server instance will be created. Follow this tutorial to create Key Vault and generate key.
Note
API examples below are based on 2022-12-01 API version
You can create an Azure Database for PostgreSQL flexible server instance encrypted with customer managed key by using the create API:
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBForPostgreSql/flexibleServers/{serverName}?api-version=2022-12-01
{
"location": "eastus",
"identity": {
"type": "UserAssigned",
"UserAssignedIdentities": {
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userIdentity}": {}
}
},
"properties": {
"CreateMode": "Create",
"administratorLogin": "admin",
"AdministratorLoginPassword": "p@ssw0rd",
"version": "14",
"dataencryption": {
"type": "AzureKeyVault",
"primaryUserAssignedIdentityId": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userIdentity}",
"primaryKeyUri": {keyVaultUri}
}
}
}Key Vault Uri can be copied from key properties Key Identifier field in Azure Key Vault Portal UI, as shown in image below: :::image type="content" source="./media/how-to-create-server-customer-managed-key-azure-api/key-uri-portal.png" alt-text =" Screenshot of key properties and URI on Azure Key Vault Portal page." ::: You can also programmatically fetch Key Vault Uri using Azure REST API