Creation will fail when using CMK from keyvault with firewall enabled #61064
Assignees
Comments
|
@PCNZ Thank you for reaching out and bringing this to our notice. At this time we are reviewing the feedback and will provide an update as appropriate. |
|
@dlepow |
|
@PCNZ The feedback on improving and making more prominent on how to store a customer-managed key for a registry when the KV firewall is enabled as documented here is shared with the content team. Doc author is working on updating this document which will address this feedback. Linking similar issue #61015 . Closing this issue for now are the document will updated soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please make it clear that use of a CMK from an existing keyvault with network firewall enabled is not supported and will fail during initial deployment.
Further use of a managed identity to grant access to the key in a keyvault with network firewall enabled is not possible.
Deployment using CMK must be done using a key from a keyvault (temporary) with all access from all networks enabled initially and a managed identity.
After this you can change to using a key from a keyvault with network firewall enabled.
Do this by first enabling a system identity in the ACR.
Grant this system identity access to the keyvault with the firewall enabled.
Then go into the ACR and change the key to the keyvault with network firewall enabled.
New you can delete the temporary keyvault and key.
Note. This occurs when not using a private endpoints with the ACR.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: