Skip to content

Commit

Permalink
Explicitly passing the KV access token (#12)
Browse files Browse the repository at this point in the history
Removing permission check from do not repeat logic as permissions take time to propagate to AKV
  • Loading branch information
azure-lm authored Feb 29, 2024
1 parent b598856 commit 43fc7e8
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 7 deletions.
4 changes: 0 additions & 4 deletions common/const/doNotRetryErrorCodes.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,6 @@
{
"code": "ReferencedResourceNotProvisioned",
"errorDescription": "Cannot proceed with operation because the resource is not in Succeeded state."
},
{
"code": "UserNotAuthorized",
"errorDescription": "User is not authorized to create a particular resource/subscription"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -94,20 +94,21 @@ try {
Invoke-Sqlcmd @varParams

# Generate CMK settings using key from key vault
$varCmkSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyURL $parColumnMasterKeyUrl -AllowEnclaveComputations
$keyVaultAccessToken = (Get-AzAccessToken -ResourceUrl https://vault.azure.net).Token
$varCmkSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyURL $parColumnMasterKeyUrl -AllowEnclaveComputations -KeyVaultAccessToken $keyVaultAccessToken

# Provision CMK and CEK to SQL Server
Write-Information ">>> Provisioning Always Encrypted keys." -InformationAction Continue
$Database = Get-SqlDatabase -ConnectionString $varDbConnectionString
New-SqlColumnMasterKey -Name "CMK1" -InputObject $Database -ColumnMasterKeySettings $varCmkSettings
New-SqlColumnEncryptionKey -Name "CEK1" -InputObject $Database -ColumnMasterKey "CMK1"
New-SqlColumnEncryptionKey -Name "CEK1" -InputObject $Database -ColumnMasterKey "CMK1" -KeyVaultAccessToken $keyVaultAccessToken

# Encrypt the selected columns
Write-Information ">>> Encrypting SSN and Salary columns." -InformationAction Continue
$CES = @()
$CES += New-SqlColumnEncryptionSettings -ColumnName "HR.Employees.SSN" -EncryptionType "Randomized" -EncryptionKey "CEK1"
$CES += New-SqlColumnEncryptionSettings -ColumnName "HR.Employees.Salary" -EncryptionType "Randomized" -EncryptionKey "CEK1"
Set-SqlColumnEncryption -InputObject $Database -ColumnEncryptionSettings $CES -UseOnlineApproach -LogFileDirectory .
Set-SqlColumnEncryption -InputObject $Database -ColumnEncryptionSettings $CES -UseOnlineApproach -LogFileDirectory . -KeyVaultAccessToken $keyVaultAccessToken

Write-Information ">>> Database initialization complete." -InformationAction Continue
}
Expand Down

0 comments on commit 43fc7e8

Please sign in to comment.