Cosmos DB - How can I get the version or info(updated date) of CMK by CLI?

Jess 96 Reputation points

I want to know if the CMK of the Cosmos DB account is updated or not. So I want to try using CLI to get that info, how can I do that?

If there is no command to do that, please tell me some other ways to do that programmatically.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,264 questions
{count} votes

Accepted answer
  1. ShaktiSingh-MSFT 11,061 Reputation points Microsoft Employee

    Hi @Jess ,

    If CMK updated by replacing the full URI to the key in Key Vault, this is not something we expose in the control plane log analytics. Here is a reference of all the control plane requests that can be captured in log analytics tables/cdbcontrolplanerequests There are no operations listed for updates to the CMK property for a databaseAccount resource so unlikely there would be a way to know if/when customer updated CMK by replacing the key vault uri on an account.

    However, if we are generating a new version of the key within Key Vault (See below) then likely this information can be retrieved from Key Vault service itself.


    Please let us know if this helps and let us know if further queries. Thanks!

1 additional answer

Sort by: Most helpful
  1. ShaktiSingh-MSFT 11,061 Reputation points Microsoft Employee

    Hi @Jess ,

    Thanks for posting this question in Microsoft Q&A platform and for using Azure Services.

    As I understand your ask, you want to get the version or information about the updated date of CMK by Azure CLI.

    We have keyVaultKeyUri property which tells if CMK is enabled in Cosmos Account.

    az cosmosdb show \  
        -n $accountName \  
        -g $resourceGroupName \  
        --query keyVaultKeyUri  

    If the Key needs to be rotated, it can be done as follows in Powershell:

    $resourceGroupName = "myResourceGroup"  
    $accountName = "mycosmosaccount"  
    $newKeyUri = "https://<my-vault><my-new-key>"  
    $account = Get-AzResource -ResourceGroupName $resourceGroupName -Name $accountName `  
        -ResourceType "Microsoft.DocumentDb/databaseAccounts"  
    $account.Properties.keyVaultKeyUri = $newKeyUri  
    $account | Set-AzResource -Force  

    The previous key or key version can be disabled after the Azure Key Vault audit logs don't show activity from Azure Cosmos DB on that key or key version anymore. No more activity should take place on the previous key or key version after 24 hours of key rotation.

    Note: You can't configure customer-managed keys with a specific version of the key version when you create a new Azure Cosmos DB account. The key itself must be passed with no versions and no trailing backslashes.
    Reference Link: how-to-setup-cross-tenant-customer-managed-keys

    I hope this should help. If you are looking specifically to check the updated date of CMK, I could internally check and update.

    0 comments No comments