Use a customer-managed key (CMK) with an Docker "Container Instance"

Question

Use a customer-managed key (CMK) with an Docker "Container Instance"

LIGEngelsen 75

I'm building my first container instance in Azure.

When I get to the "Advanced" options, I have the ability to configure "key management".

I want to use a customer-managed key (CMK). I followed the instructions within this KB article to enable a customer-managed key. However, when I try creating the container instance, they CMK option is (still) greyed out.

Screenshot 2025-04-21 at 10.02.03 PM

What do I need to do, to use a CMK with an Azure Container Instance?

Anusree Nashetty 3,355 Reputation points Microsoft External Staff Moderator

2025-04-22T16:09:33.29+00:00

Hi LIGEngelsen,

Could you please provide me more details.

The document which you have provided is to Enable Customer Managed Identity for Container Registry not for Container Instances. The CMK configuration you're seeing in ACI’s "Advanced" tab refers to encryption-at-rest for supported resources.

In which region are you trying to deploy Container Instance?
While choosing Images source in the Basics tab, which option are you selecting?
The Key Vault might not have the proper access policies, please set the Key Permissions to include Get and Unwrap Key.

For detailed information, please check: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data

Accepted answer

0 additional answers

Your answer

Anusree Nashetty 3,355 Reputation points Microsoft External Staff Moderator

2025-04-22T16:09:33.29+00:00

Hi LIGEngelsen,

Could you please provide me more details.

The document which you have provided is to Enable Customer Managed Identity for Container Registry not for Container Instances. The CMK configuration you're seeing in ACI’s "Advanced" tab refers to encryption-at-rest for supported resources.

In which region are you trying to deploy Container Instance?
While choosing Images source in the Basics tab, which option are you selecting?
The Key Vault might not have the proper access policies, please set the Key Permissions to include Get and Unwrap Key.

For detailed information, please check: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data

Answer 1

TP 118.8K Moderator

Hi,

It appears you don't have ACI service principal in your tenant. To create it, please open up Azure Cloud Shell and run below command:

az ad sp create --id 6bb8e274-af5d-4df2-98a3-4fd78b4cafd9

After executing the command you can double-check it has been created using below command:

az ad sp show --id 6bb8e274-af5d-4df2-98a3-4fd78b4cafd9

Now that service principal has been created, please close the Create container instance screen (as shown in your screenshot) if you have it open, and then start the Create process from scratch. When you get to Advanced tab check to see if CMK option is enabled.

When creating your Key Vault, please refer to article below. Additionally, the article has important information related to encrypting ACI using CMK:

Encrypt deployment data

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data

Please click Accept Answer and upvote if the above was helpful. If you have questions please add a comment below.

Thanks.

-TP

TP 118.8K Reputation points Moderator

2025-04-23T12:38:45.84+00:00

@LIGEngelsen Any update?
LIGEngelsen 75 Reputation points

2025-04-23T13:54:31.7466667+00:00

Yes. I was def. over complicating things. Creating the service principal as identified in the KB article worked. I was then able to create a key within the vault. Once the key was created, I was able to use a CMK with the Container Instance. Thanks for your help!

Share via

Use a customer-managed key (CMK) with an Docker "Container Instance"

0 additional answers

Your answer