Sql Resources - Get Client Encryption Key

Service:

Cosmos DB Resource Provider

API Version:

2024-11-15

Gets the ClientEncryptionKey under an existing Azure Cosmos DB SQL database.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlDatabases/{databaseName}/clientEncryptionKeys/{clientEncryptionKeyName}?api-version=2024-11-15

URI Parameters

Name	In	Required	Type	Description
accountName	path	True	string minLength: 3 maxLength: 50 pattern: ^[a-z0-9]+(-[a-z0-9]+)*	Cosmos DB database account name.
clientEncryptionKeyName	path	True	string	Cosmos DB ClientEncryptionKey name.
databaseName	path	True	string	Cosmos DB database name.
resourceGroupName	path	True	string minLength: 1 maxLength: 90	The name of the resource group. The name is case insensitive.
subscriptionId	path	True	string minLength: 1	The ID of the target subscription.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Responses

Name	Type	Description
200 OK	ClientEncryptionKeyGetResults	The ClientEncryptionKey was retrieved successfully.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	Impersonate your user account

Examples

CosmosDBClientEncryptionKeyGet

Sample request

HTTP

GET https://management.azure.com/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.DocumentDB/databaseAccounts/accountName/sqlDatabases/databaseName/clientEncryptionKeys/cekName?api-version=2024-11-15

Java

/**
 * Samples for SqlResources GetClientEncryptionKey.
 */
public final class Main {
    /*
     * x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2024-11-15/examples/
     * CosmosDBSqlClientEncryptionKeyGet.json
     */
    /**
     * Sample code: CosmosDBClientEncryptionKeyGet.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void cosmosDBClientEncryptionKeyGet(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.cosmosDBAccounts().manager().serviceClient().getSqlResources().getClientEncryptionKeyWithResponse(
            "rgName", "accountName", "databaseName", "cekName", com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Python

from azure.identity import DefaultAzureCredential

from azure.mgmt.cosmosdb import CosmosDBManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-cosmosdb
# USAGE
    python cosmos_db_sql_client_encryption_key_get.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = CosmosDBManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subId",
    )

    response = client.sql_resources.get_client_encryption_key(
        resource_group_name="rgName",
        account_name="accountName",
        database_name="databaseName",
        client_encryption_key_name="cekName",
    )
    print(response)


# x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2024-11-15/examples/CosmosDBSqlClientEncryptionKeyGet.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armcosmos_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v3"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/ded6306d00ae294c24211e5069c1f56b15ba8ef5/specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2024-11-15/examples/CosmosDBSqlClientEncryptionKeyGet.json
func ExampleSQLResourcesClient_GetClientEncryptionKey() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armcosmos.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewSQLResourcesClient().GetClientEncryptionKey(ctx, "rgName", "accountName", "databaseName", "cekName", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.ClientEncryptionKeyGetResults = armcosmos.ClientEncryptionKeyGetResults{
	// 	Name: to.Ptr("cekName"),
	// 	Type: to.Ptr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKey"),
	// 	ID: to.Ptr("/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.DocumentDB/databaseAccounts/accountName/sqlDatabases/databaseName/clientEncryptionKeys/cekName"),
	// 	Properties: &armcosmos.ClientEncryptionKeyGetProperties{
	// 		Resource: &armcosmos.ClientEncryptionKeyGetPropertiesResource{
	// 			EncryptionAlgorithm: to.Ptr("AEAD_AES_256_CBC_HMAC_SHA256"),
	// 			ID: to.Ptr("cekName"),
	// 			KeyWrapMetadata: &armcosmos.KeyWrapMetadata{
	// 				Name: to.Ptr("customerManagedKey"),
	// 				Type: to.Ptr("AzureKeyVault"),
	// 				Algorithm: to.Ptr("RSA-OAEP"),
	// 				Value: to.Ptr("AzureKeyVault Key URL"),
	// 			},
	// 			WrappedDataEncryptionKey: []byte("U3dhZ2dlciByb2Nrcw=="),
	// 			Etag: to.Ptr("00000000-0000-0000-7a1f-bc0828e801d7"),
	// 			Rid: to.Ptr("tNc4AAAAAAAQkjzWAgAAAA=="),
	// 			Ts: to.Ptr[float32](1626425552),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { CosmosDBManagementClient } = require("@azure/arm-cosmosdb");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Gets the ClientEncryptionKey under an existing Azure Cosmos DB SQL database.
 *
 * @summary Gets the ClientEncryptionKey under an existing Azure Cosmos DB SQL database.
 * x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2024-11-15/examples/CosmosDBSqlClientEncryptionKeyGet.json
 */
async function cosmosDbClientEncryptionKeyGet() {
  const subscriptionId = process.env["COSMOSDB_SUBSCRIPTION_ID"] || "subId";
  const resourceGroupName = process.env["COSMOSDB_RESOURCE_GROUP"] || "rgName";
  const accountName = "accountName";
  const databaseName = "databaseName";
  const clientEncryptionKeyName = "cekName";
  const credential = new DefaultAzureCredential();
  const client = new CosmosDBManagementClient(credential, subscriptionId);
  const result = await client.sqlResources.getClientEncryptionKey(
    resourceGroupName,
    accountName,
    databaseName,
    clientEncryptionKeyName,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:

200

{
  "id": "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.DocumentDB/databaseAccounts/accountName/sqlDatabases/databaseName/clientEncryptionKeys/cekName",
  "name": "cekName",
  "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKey",
  "properties": {
    "resource": {
      "id": "cekName",
      "encryptionAlgorithm": "AEAD_AES_256_CBC_HMAC_SHA256",
      "wrappedDataEncryptionKey": "U3dhZ2dlciByb2Nrcw==",
      "keyWrapMetadata": {
        "name": "customerManagedKey",
        "type": "AzureKeyVault",
        "value": "AzureKeyVault Key URL",
        "algorithm": "RSA-OAEP"
      },
      "_rid": "tNc4AAAAAAAQkjzWAgAAAA==",
      "_ts": 1626425552,
      "_etag": "00000000-0000-0000-7a1f-bc0828e801d7"
    }
  }
}

Definitions

Name	Description
ClientEncryptionKeyGetResults	Client Encryption Key.
KeyWrapMetadata	Represents key wrap metadata that a key wrapping provider can use to wrap/unwrap a client encryption key.
Resource

ClientEncryptionKeyGetResults

Object

Client Encryption Key.

Name	Type	Description
id	string	The unique resource identifier of the database account.
name	string	The name of the database account.
properties.resource	Resource
type	string	The type of Azure resource.

KeyWrapMetadata

Object

Represents key wrap metadata that a key wrapping provider can use to wrap/unwrap a client encryption key.

Name	Type	Description
algorithm	string	Algorithm used in wrapping and unwrapping of the data encryption key.
name	string	The name of associated KeyEncryptionKey (aka CustomerManagedKey).
type	string	ProviderName of KeyStoreProvider.
value	string	Reference / link to the KeyEncryptionKey.

Resource

Object

Name	Type	Description
_etag	string	A system generated property representing the resource etag required for optimistic concurrency control.
_rid	string	A system generated property. A unique identifier.
_ts	number	A system generated property that denotes the last updated timestamp of the resource.
encryptionAlgorithm	string	Encryption algorithm that will be used along with this client encryption key to encrypt/decrypt data.
id	string	Name of the ClientEncryptionKey
keyWrapMetadata	KeyWrapMetadata	Metadata for the wrapping provider that can be used to unwrap the wrapped client encryption key.
wrappedDataEncryptionKey	string (byte)	Wrapped (encrypted) form of the key represented as a byte array.