How to correctly create a key in KeyValut with custom policy?

Joey 125 Reputation points
2024-10-26T04:17:14.8833333+00:00

I want to use the Azure Portal to create a key in KeyValut for release to test the feature Secure Key Release feature with AKV and Azure Confidential Computing (ACC).

First, I think I have to set up a correct KeyValut access policy for my SNP-CVM. As described in that document :

Set a Key Vault access policy to grant the managed identity the "release" key permission. A policy allows the confidential virtual machine to access the Key Vault and perform the release operation. If using Key Vault Managed HSM, assign the "Managed HSM Crypto Service Release User" role membership.

To achieve this, I have already enabled the system-managed identity of my Azure SNP-CVM instance. My question is how to assign the "release key permission". I am not sure whether it refers to a role named "Key Vault Crypto Service Release User" in the portal cause its description says, "Only works for key vaults that use the 'Azure role-based access control' permission model." Besides, I can not find the "Managed HSM Crypto Service Release User" role.

User's image

User's image

The second thing is "Create an exportable key in AKV with attached SKR policy."

I found that I can not create it in the portal with a custom policy. As the below figure shows, the policy editor is always in read-only mode. I want to query how I can configure a custom policy when creating a key in KeyVault. Is it a permission issue? I have assigned roles including "Key Vault Crypto Officer", "Key Vault Contributor", and "Key Vault Administrator" to myself.

I have also tried to create this key using Azure CLI, as introduced in that article, but failed. I report the issue in another posting(link).

Does anyone know how to fix these issues? Any suggestions would be appreciated.

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,313 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,999 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,204 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sina Salam 12,011 Reputation points
    2024-10-26T14:18:53.17+00:00

    Hello Joey,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having issues on how to create a key in KeyValut with custom policy.

    First check the simplest way of implementation of KeyValut configuration in one of my articles your challenges seems to be the policy and the process might guide you. Here, I will provide eight steps that guides you through:

    1. Assign the “release” key permission to your SNP-CVM’s managed identity, you need to set up an access policy in Azure Key Vault. Steps to do it:
      1. Navigate to your Key Vault in the Azure Portal.
      2. Go to the “Access policies” section.
      3. Click on “Add Access Policy”.
      4. Configure the access policy:
      5. Permissions: Select “Key Permissions” and then choose “release”.
      6. Principal: Select the managed identity of your SNP-CVM.
      7. Save the changes.
      8. The “release” permission is specific to the Key Vault access policy model and not to the Azure role-based access control (RBAC) model. Therefore, you won’t find a role named “Key Vault Crypto Service Release User” in the RBAC roles
    2. Creating an Exportable Key with SKR Policy, you are encountering issues with the policy editor being read-only. This could be due to permission issues or the way the policy is being applied. Here are the steps to create the key using Azure CLI, which might help bypass the portal limitations: So, create the SKR policy JSON file:
         {
           "version": "1.0.0",
           "anyOf": [
             {
               "authority": "https://sharedweu.weu.attest.azure.net",
               "allOf": [
                 {
                   "claim": "x-ms-isolation-tee.x-ms-attestation-type",
                   "equals": "sevsnpvm"
                 },
                 {
                   "claim": "x-ms-isolation-tee.x-ms-compliance-status",
                   "equals": "azure-compliant-cvm"
                 }
               ]
             }
           ]
         }
      
    3. While you will then, use Azure CLI to create the key: az keyvault key create --exportable true --vault-name <YourKeyVaultName> --kty RSA-HSM --name <YourKeyName> --policy @<PathToYourPolicyFile> NB: Before you do the above:
    4. Make sure your managed identity has the necessary permissions to perform this operation. If you encounter issues with the Azure CLI, make sure your environment is correctly set up and that the managed identity has the appropriate permissions and if you’re facing issues with the Azure CLI, such as the “failed to connect to MSI” error, it might be related to the managed identity setup or network configurations.
    5. Make sure that the Key Vault is set up with the appropriate permission model, as SKR requires Key Vaults with the "Azure role-based access control" permission model for the "release" permission and if you are using a Managed HSM instance, make sure the "Managed HSM Crypto Service Release User" role is assigned to the managed identity of your SNP-CVM. This role is specifically for Managed HSM configurations and may not appear under regular Key Vaults.
    6. As mentioned above, for SNP-CVMs, ensure that the managed identity attached to the virtual machine has the correct permissions. Follow these steps: Go to Key Vault > Access Policies and add a policy for the managed identity with the "release" key permission.
    7. Double-check the policy JSON file format, ensuring it matches the documentation exactly. If policy creation still fails, consider adding the following commands to troubleshoot:

    az keyvault key create --exportable true --vault-name <YourKeyVaultName> --kty RSA-HSM --name <YourKeyName> --policy @<PathToYourPolicyFile>

    1. For permission and troubleshooting:
      1. Azure CLI should be running in a secure environment with network configurations allowing access to the Key Vault and Identity services.
      2. Both Key Vault Firewall and SNP-CVM Network Security Groups (NSG) settings allow the managed identity access to Key Vault resources.
      3. The Key Vault and SNP-CVM should be in the same region to avoid any potential network latency or connectivity issues that could cause this error.
      4. For the read-only issue with the SKR policy editor, confirm that your user account has sufficient permissions (e.g., Key Vault Administrator) and if issues persist, try using the Azure CLI to configure custom SKR policies, as some UI limitations may restrict certain actions.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.