[Compute] Add Managed Identity Support in Azure Disk Encryption for VMSS #30657
Conversation
anshuljain26
requested review from
zhoxing-ms,
jsntcy,
wangzelin007 and
yanzhudd
as code owners
️✔️AzureCLI-FullTest
|
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| vmss create | cmd vmss create added parameter encryption_identity |
||
| vmss encryption enable | cmd vmss encryption enable added parameter encryption_identity |
microsoft-github-policy-service
bot
added
the
Compute
|
@vimish Please review the PR |
|
Compute |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Could you please refer to this document https://github.com/Azure/azure-cli/blob/dev/doc/managed_identity_command_guideline.md to design commands and parameters related to managed identity? |
We have added a new Parameter encryption identity to authenticate to customer's keyvault. |
| @@ -2643,6 +2643,9 @@ | |||
| - name: Create a Debian11 VM scaleset with a user assigned identity. | |||
| text: > | |||
| az vmss create -n MyVmss -g rg1 --image Debian11 --assign-identity /subscriptions/99999999-1bf0-4dda-aec3-cb9272f09590/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID | |||
| - name: Create a vmss with user assigned identity and add encryption identity for Azure disk encryption | |||
| text: > | |||
| az vmss create -n MyVm -g rg1 --image Debian11 --assign-identity myID --encryption-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID --orchestration-mode Uniform --lb-sku Standard | |||
There was a problem hiding this comment.
May I ask what is the difference between the --assign-identity and --encryption-identity?
There was a problem hiding this comment.
--assign-identity params is used to assign system or user assigned identities associated with the Virtual Machine Scale set. There can be multiple user assigned identities associated with the virtual machine scale set.
--encryption-identity params is used to set which Identity used by ADE to get access token for keyvault operations.
| if not cmd.supported_api_version(min_api='2023-09-01', resource_type=ResourceType.MGMT_COMPUTE): | ||
| raise CLIError("Usage error: Encryption Identity required API version 2023-09-01 or higher." | ||
| "You can set the cloud's profile to use the required API Version with:" | ||
| "az cloud set --profile latest --name <cloud name>") |
There was a problem hiding this comment.
please set the min_api='2023-09-01' in the parameter definition instead of adding checking here
There was a problem hiding this comment.
Addressed Suggestion
| raise CLIError("Encryption Identity should be an ARM Resource ID of one of the " | ||
| "user assigned identities associated to the resource") |
There was a problem hiding this comment.
Please use the specific error type ArgumentUsageError in stead of CLIError
| raise CLIError("Encryption Identity should be an ARM Resource ID of one of the " | |
| "user assigned identities associated to the resource") | |
| raise ArgumentUsageError("Encryption Identity should be an ARM Resource ID of one of the " | |
| "user assigned identities associated to the resource") |
There was a problem hiding this comment.
During VMSS creation if there is any exception, it will throw cliError exception by default, that's why used that cliError exception here
There was a problem hiding this comment.
In fact, we usually recommend using more specific error type if they can be clearly classified, as this will help us in future Telemetry data analysis
There was a problem hiding this comment.
Addressed Suggestion
Related command
Description
Azure Disk Encryption (ADE) is adding support for using managed identity to authenticate to customer's keyvault.
As part of it, a new field (EncryptionIdentity) has been added to the VMSS model. By setting this field customer will be notifying ADE to use that managed identity for keyvault operations. The identity should also be explicitly assigned to the VMSS.
This PR adds a new parameter (EncryptionIdentity) to az vmss encryption enable cmdlet. If the parameter is present then the cmdlet will update the EncryptionIdentity field.
Encryption Identity field is also updated during VMSS creation if the encryption identity is a part of the identities assigned to the vmss
Testing Guide
History Notes
[Compute]
az vmss create: Add--encryption-identityparameter to use that managed identity for Azure disk encryption[Compute]
az vmss encryption enable: Add--encryption-identityparameter to update or set encryption identity for Azure disk encryptionThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.