Share via

How to enable key vault permission for disk encryption set using Azure Python SDK API calls?

Prem Jha 45 Reputation points
2023-10-20T13:42:34.8966667+00:00

I am setting up disk encryption using a key vault, but I'm unable to grant permission to the key vault after creating the Disk Encryption Set (DES). The overview section of the DES shows a warning that reads: "To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault 'vaultxyz'." I need to grant access to the key vault using Python SDK API calls. Can someone please provide guidance on how to achieve this? Thanks!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,312 questions
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
701 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
174 questions
Accepted answer
  1. JamesTran-MSFT 36,631 Reputation points Microsoft Employee
    2023-10-25T18:57:48.01+00:00

    @Prem Jha

    Thank you for your post and I apologize for the delayed response!

    To grant permissions to the Key Vault for your Disk Encryption Set using the Python SDK, you should be able to leverage the azure.mgmt.keyvault package. For more info - Key Vault Resource Management.

    When setting up your disk encryption set using CLI, you'll notice that you need to assign the following Key permissions - wrapkey, unwrapkey, get.

    az keyvault set-policy -n $keyVaultName \
-g $rgName \
--object-id $desIdentity \
--key-permissions wrapkey unwrapkey get

    To grant access policy permissions through the Azure SDK for Python, you can reference the code snippet to hopefully help point you in the right direction. For more info.

    def main():
    client = KeyVaultManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="00000000-0000-0000-0000-000000000000",
    )

    response = client.vaults.update_access_policy(
        resource_group_name="sample-group",
        vault_name="sample-vault",
        operation_kind="add",
        parameters={
            "properties": {
                "accessPolicies": [
                    {
                        "objectId": "00000000-0000-0000-0000-000000000000",
                        "permissions": {"certificates": ["get"], "keys": ["encrypt"], "secrets": ["get"]},
                        "tenantId": "00000000-0000-0000-0000-000000000000",
                    }
                ]
            }
        },
    )

    Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.