Using CMK with Cognitive Services

Gayatri Krishnan 66 Reputation points
2022-07-27T00:34:22.79+00:00

It looks like the services that support CMK encryption in Cognitive Services doesn't allow to user managed identity to link with Key Vault integration. As soon I try to change to CMK encryption setting system managed identity is turning on and I am raised with following error indicating about access policy.

Access KeyVault 'https://test-kv01.vault.azure.net' with managed identity is forbidden. Please configure the access policy in your KeyVault to allow managed identity to wrap & unwrap with keys.

In our organization only RBAC model is allowed with KeyVault. I have given user managed identity Key Vault Secret User and Key Vault Crypto Service Encryption User. As I noticed system managed identity is turning on so I also gave the necessary RBAC for the identity.

Can anyone help me figure how to setup CMK encryption with system/user managed identity using RBAC model?

Thanks,

Gayatri

Azure AI Custom Vision
Azure AI Custom Vision
An Azure artificial intelligence service and end-to-end platform for applying computer vision to specific domains.
209 questions
Azure AI Language
Azure AI Language
An Azure service that provides natural language capabilities including sentiment analysis, entity extraction, and automated question answering.
352 questions
Azure AI Document Intelligence
Azure AI Document Intelligence
An Azure service that turns documents into usable data. Previously known as Azure Form Recognizer.
1,342 questions
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
2,354 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gayatri Krishnan 66 Reputation points
    2022-07-27T04:21:26.047+00:00

    I have figured this out. CMK encryption is supported only through system managed identity and can work with RBAC model. The identity needs the following roles on Key Vault to run smoothly

    1. Key Vault Secrets User
    2. Key Vault Crypto Encryption User

    The error mentioned in my previous post was appearing as the role assignment was not getting effective.

    4 people found this answer helpful.
    0 comments