Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az cosmosdb sql container create command with a client Encryption Policy attached does NOT actually create the policy

See original GitHub issue

Describe the bug

When running az cosmosdb sql container create -g "<resource-group>" -a "<account>" -d "<database>" -n "<container>" --partition-key-path "/partitionKey" --cep @policy-file.json , the Encryption Policy is not applied.

Command Name

az cosmosdb sql container create

Errors:

None

To Reproduce:

Steps to reproduce the behavior.

  1. create a cosmosdb database - done via the azure portal
  2. create a ClientEncryptionKey (created via Powershell as I have not found a Azure CLI native command to do this) $myKeyWrapMetadataObject = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlKeyWrapMetadata]::new([Microsoft.Azure.Management.CosmosDB.Models.KeyWrapMetadata]::new("key1","AZURE_KEY_VAULT", "url-to-key-vault-key", "RSA-OAEP")) New-AzCosmosDbClientEncryptionKey -AccountName $accountName -DatabaseName $databaseName -ResourceGroupName "d-weu-shrd-rg" -Name $keyName -EncryptionAlgorithmName "AEAD_AES_256_CBC_HMAC_SHA256" -KeyWrapMetadata $myKeyWrapMetadataObject
  3. create a container with an encryption policy via Azure CLI az cosmosdb sql container create -g "<resource-group>" -a "<account>" -d "<database>" -n "<container>" --partition-key-path "/partitionKey" --cep @policy-file.json Content of the policy-file.json { "includedPaths": [ { "path": "/password", "clientEncryptionKeyId": "key1", "encryptionAlgorithm": "AEAD_AES_256_CBC_HMAC_SHA256", "encryptionType": "Deterministic" } ], "policyFormatVersion": 2 }

Current Behavior

Below is the output from the az cosmosdb sql container create command image

Expected Behavior

This is the output of the az cosmosdb sql container show command run against a container created via the .Net CosmosSDK. Code is located in the azure-cosmos-dotnet-v3 repo in the samples .sln, encryption project. It shows the encryption policies. image

Environment Summary tried locally on my Windows 10 Enterprise 20H2, as well as in the Azure Devops pipeline CLI task

azure-cli 2.42.0

Issue Analytics

  • State:closed
  • Created 10 months ago
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
pavelplescacommented, Dec 13, 2022

Solution worked. Thanks a lot.

0reactions
SaurabhSharma-MSFTcommented, Dec 9, 2022

@pavelplesca If you want to use the old cli, use bash task to install old CLI:

# Specify python version
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.x'
    architecture: 'x64'
 
# Update to a specify Azure CLI version
- bash: |
    pip install -Iv azure-cli==X.XX.X --extra-index-url https://azurecliprod.blob.core.windows.net/edge
    az --version
  displayName: 'Use Azure CLI X.XX.X'

Please Note:

Since the Keys used in the policy should be created upfront. Azure CLI does not support creating Client Encryption Keys. We do have Powershell support that you can leverage which provides support to create Client Encryption Keys and containers with Client Encryption Policy. Please refer to the below documentations -

Read more comments on GitHub >

github_iconTop Results From Across the Web

New-AzCosmosDBSqlContainer (Az.CosmosDB)
Example 2: Create a new CosmosDB Sql Container with Client Encryption Policy. PowerShell. Copy. Try It. $includedPath1 = [Microsoft.Azure.Management.
Read more >
Getting started with Azure Cosmos DB Serverless - SQLShack
In this article, we will learn how to create a serverless instance of Azure Cosmos DB as well as understand its applicability in...
Read more >
container create --unique-keys-policy string-arg example does ...
I just ran the example from the command prompt with CLI 2.0.77 and it worked. It looks like Powershell likely parses input JSON...
Read more >
azure-cli 2.23.0 - PyPI
New command az network vnet-gateway vpn-client ipsec-policy show . ... az cosmosdb sql container create/update : Add –analytical-storage-ttl parameter ...
Read more >
Kubernetes Microservices on Azure with Cosmos DB
The generator creates four applications. They are designed to be built and run as docker containers, which makes it easy for them to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ModuleNotFoundError: No module named 'azure.mgmt.security.models._security_center_enums'; 'azure.mgmt.security.models' is not a package on Kali linux

Next page

Deployment of zip fails if run after creating functionapp.