Hi @CHEN XIAOJIE ,
Thanks for posting this question in Microsoft Q&A platform and for using Azure Services.
As I understand your ask, you want to get the version or information about the updated date of CMK by Azure CLI.
We have keyVaultKeyUri
property which tells if CMK is enabled in Cosmos Account.
az cosmosdb show \
-n $accountName \
-g $resourceGroupName \
--query keyVaultKeyUri
If the Key needs to be rotated, it can be done as follows in Powershell:
$resourceGroupName = "myResourceGroup"
$accountName = "mycosmosaccount"
$newKeyUri = "https://<my-vault>.vault.azure.net/keys/<my-new-key>"
$account = Get-AzResource -ResourceGroupName $resourceGroupName -Name $accountName `
-ResourceType "Microsoft.DocumentDb/databaseAccounts"
$account.Properties.keyVaultKeyUri = $newKeyUri
$account | Set-AzResource -Force
The previous key or key version can be disabled after the Azure Key Vault audit logs don't show activity from Azure Cosmos DB on that key or key version anymore. No more activity should take place on the previous key or key version after 24 hours of key rotation.
Note: You can't configure customer-managed keys with a specific version of the key version when you create a new Azure Cosmos DB account. The key itself must be passed with no versions and no trailing backslashes.
Reference Link: how-to-setup-cross-tenant-customer-managed-keys
I hope this should help. If you are looking specifically to check the updated date of CMK, I could internally check and update.