-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confidential Compute CLI Change Request - VM OS Disk / Disk Encryption Set Create #22200
Comments
Compute |
@zhoxing-ms - Updated Disk encryption set scenario with key vault key creation commands as well. |
Hi @AjKundnani , after supporting the arguments in CLI, I could create a DES with ConfidentialVmEncryptedWithCustomerKey as described in Scenario 2. Then I tried Scenario 1 with the DES just created, and returned this error:
So could you please provide an image that would support ConfidentialVM_DiskEncryptedWithCustomerKey? |
@cxznmhdcxz - if you can try with image 2019-datacenter-cvm or 2022-datacenter-cvm under offer windows-cvm |
@AjKundnani These sentences mean that the |
@zhoxing-ms - Right, |
Updated request to reflect |
@AjKundnani When |
@zhoxing-ms - I've simplified the statement in request, any value of |
@AjKundnani Do you mean that when the user passes in the I think a better solution may be to verify that users must input In addition, please note that since the |
|
@AjKundnani In current official CLI, if users pass in the |
@zhoxing-ms : Below is the current behavior for
|
@AjKundnani Out of curiosity, I would like to ask why we need to limit the parameter |
@AjKundnani In order to avoid breaking change, I suggest that we can state this limitation in the help message first. And when users use the |
|
@AjKundnani Please note that the default value of the
Yes, the warning log is non-interactive and will not block users' automation scenarios.
OK, thanks much for your active help! |
Is your feature request related to a problem? Please describe
No, feature request to add new parameter and add values into existing parameters for following commands to support Confidential VM - Planned GA by end of June CY22:
Feature is to support customers with:
Describe the solution you'd like
Existing Parameter
az disk create
Customer to use
az disk create
command with parameter --security-type to set Security Type. For confidential VM Additional accepted security type should be ConfidentialVM_DiskEncryptedWithCustomerKey, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKeyPost change, following values will be accepted:
az disk-encryption-set create
Customer to use
az disk-encryption-set create
command with parameter --encryption-type to set Encryption type. For confidential VM, additional accepted encryption type should be ConfidentialVmEncryptedWithCustomerKeyPost change, following values will be accepted:
New Parameter
--secure-vm-disk-encryption-set (
az disk create
)New Parameter --secure-vm-disk-encryption-set for command
az disk create
:End to End Usage
Scenario 1 - Managed OS Disk Create
Store Disk Encryption Set ID in variable:
diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)
Create Virtual Machine Disk with ConfidentialVM_DiskEncryptedWithCustomerKey Security Type
Scenario 2 - Disk Encryption Set Create
Create New key vault with premium SKU
Create RSA-HSM Key with key release policy
Query Key-vault key required for Disk Encryption Set
keyUrl=$(az keyvault key show -n $keyName --vault-name $keyVaultName --query [key.kid] -o tsv)
Create Disk Encryption Set
Assign Access to Disk Encryption Set
Describe alternatives you've considered
Not Applicable, new product feature request.
Additional context
Related to #22199
Request for Confidential VM - Planned GA by end of June CY22
Additional Checks
--security-type
.--security-type
is used, supported create options for disk are FromImage, Import, ImportSecure, UploadPreparedSecure.Empty
is not supported.Contacts
The text was updated successfully, but these errors were encountered: