01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list
--query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[
"abcdabcd-1234-abcd-1234-abcdabcdabcd",
"abcd1234-abcd-1234-abcd-abcd1234abcd"
]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set
--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run identity create command (OSX/Linux/UNIX) to create a new user-assigned managed identity for your Azure Cosmos DB account, required to access the Azure key vault for using the Customer-Managed Key:
az identity create
--name cc-project5-user-identity
--resource-group cloud-shell-storage-westeurope
--location westeurope
--query '{id:id,principalId:principalId}'
05 The command output should return the resource ID and the principal ID of the new user-assigned managed identity:
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-user-identity",
"principalId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}
06 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure key vault where the required Customer-Managed Key (CMK) will be placed. Both soft delete and purge protection must be enabled on the new key vault:
az keyvault create
--name tm-project5-key-vault
--resource-group cloud-shell-storage-westeurope
--location westeurope
--enable-rbac-authorization false
--enabled-for-deployment true
--enabled-for-template-deployment true
--enable-purge-protection true
--enabled-for-disk-encryption true
07 The command output should return the configuration information available for the new Azure key vault:
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/tm-project5-key-vault",
"location": "westeurope",
"name": "tm-project5-key-vault",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
"permissions": {
"certificates": [
"all"
],
"keys": [
"all"
],
"secrets": [
"all"
],
"storage": [
"all"
]
},
"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableRbacAuthorization": false,
"enableSoftDelete": true,
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"hsmPoolResourceId": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"sku": {
"family": "A",
"name": "standard"
},
"softDeleteRetentionInDays": 30,
"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
"vaultUri": "https://tm-project5-key-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"systemData": {
"createdAt": "2024-10-10T17:04:00.983000+00:00",
"createdBy": "",
"createdByType": "User",
"lastModifiedAt": "2024-10-10T17:04:00.983000+00:00",
"lastModifiedBy": "",
"lastModifiedByType": "User"
},
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
08 Run keyvault set-policy command (Windows/macOS/Linux) to assign the right permissions to your new Azure key vault. For the --object-id parameter, use "principalId" value returned in step no. 5:
az keyvault set-policy
--name tm-project5-key-vault
--object-id abcdabcd-abcd-abcd-abcd-abcdabcdabcd
--key-permissions create get recover unwrapKey wrapKey
--query 'properties.accessPolicies'
09 The command output should return the modified key vault configuration information:
[
{
"applicationId": null,
"objectId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
"permissions": {
"certificates": [
"all"
],
"keys": [
"recover",
"unwrapKey",
"get",
"create",
"wrapKey"
],
"secrets": [
"all"
],
"storage": [
"all"
]
},
"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}
]
10 Run keyvault key create command (Windows/macOS/Linux) to create the Customer-Managed Key (CMK) necessary to encrypt data for your Enterprise Redis cache cluster:
az keyvault key create
--name tm-project5-cosmos-db-key
--vault-name tm-project5-key-vault
--kty RSA
--size 2048
--ops decrypt encrypt sign unwrapKey verify wrapKey
--protection software
--disabled false
--query 'key.kid'
11 The command output should return the full URI of the new Customer-Managed Key:
"https://tm-project5-key-vault.vault.azure.net/keys/tm-project5-cosmos-db-key/12345678901234567890123456789012"
12 Run cosmosdb update command (Windows/macOS/Linux) to enable CMK-based encryption for your Microsoft Azure Cosmos DB account. Use the --key-uri parameter to specify the URI of the Customer-Managed Key (CMK) created in the previous steps. The CMK URI format is https://\<key-vault-name\>.vault.azure.net/keys/\<customer-managed-key\>:
az cosmosdb update
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
--key-uri "https://tm-project5-key-vault.vault.azure.net/keys/tm-project5-cosmos-db-key"
13 The command output should return the information available for the modified Azure Cosmos DB account:
{
"analyticalStorageConfiguration": {
"schemaType": "WellDefined"
},
"backupPolicy": {
"migrationState": null,
"periodicModeProperties": {
"backupIntervalInMinutes": 240,
"backupRetentionIntervalInHours": 8,
"backupStorageRedundancy": "Local"
}
},
...
"capabilities": [],
"capacity": {
"totalThroughputLimit": 1000
},
"connectorOffer": null,
"consistencyPolicy": {
"defaultConsistencyLevel": "Session",
"maxIntervalInSeconds": 5,
"maxStalenessPrefix": 100
}
}
14 Repeat steps no. 12 and 13 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.
15 Repeat steps no. 3 – 14 for each Azure subscription created in your Microsoft Azure cloud account.