Add HSM support to Key Vault #1717
Conversation
p3ck
added
new_feature
p3ck
force-pushed
the
keyvault-hsm
branch
4 times, most recently
from
f681b39 to
160e128
Compare
|
@Fred-sun or @xuzhang3 Can one of you run the integration tests? I've tested as much as my account allows me but I don't have permission to download the security domain file in my org. I've also had limited success running this in the pipeline, I either get 5 HSM's are already deployed or a gateway timeout. Thanks. |
|
sure, I will running these tests. |
|
@p3ck can you help migrate the vendor-sdk to azure-keyvault-administration for KV HSM management? |
|
I've looked at this and it doesn't seem to have the methods to actually
setup the HSM for use. Please see this:
https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-cli
The piece that is missing is the security-domain download.
…On Mon, Sep 23, 2024 at 2:11 AM xuzhang3 ***@***.***> wrote:
@p3ck <https://github.com/p3ck> can you help migrate the vendor-sdk to
azure-keyvault-administration for KV HSM management?
https://learn.microsoft.com/en-us/python/api/overview/azure/keyvault-administration-readme?view=azure-python
—
Reply to this email directly, view it on GitHub
<#1717 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAUPZOCU44OVGE3RPAU6WRDZX6WJ3AVCNFSM6AAAAABOMFWUM6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRXGMYDMMRQHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
p3ck
force-pushed
the
keyvault-hsm
branch
3 times, most recently
from
df9353d to
96ee472
Compare
|
I have been able to test some of this locally.. As you can see I was able to download the security-domain which involves uploading the public certs and specifying the minimum number for quorum. I am unable to test the key generation since I don't have permission to do that. I don't think my account has the correct permissions from my org since I tried the following as well: I've also opened an issue in the azure-cli package asking if the vendored_sdks files can be broken out into a separate package. |
p3ck
force-pushed
the
keyvault-hsm
branch
2 times, most recently
from
d00d1c9 to
14d9582
Compare
|
Waiting for Azure/azure-sdk-for-python#37929 to finalize so we can use the SDK. |
|
@p3ck Please help solve the conflict, and push forward the merger after the test after the relevant PR release in April. Thank you! |
|
This has been updated to use the new python-sdk, azure-keyvault-securitydomain==1.0.0b1 |
p3ck
added
the
ready_for_review
|
@p3ck |
|
Creating and deleting keys prompts authorization issues. I'm still reading. Thank you! |
I don't actually have an account with enough permissions to test the creation of the HSM keys. I am able to create the HSM keyvault with the security domain. but I'm not able to create the HSM keys even with the azure cli command. I tried adding the correct permissions via the web interface but I still don't know which role is needed. |
|
@p3ck Your changes themselves are fine and can be merged directly. But our test would also be added to the pipeline cycle task. Because the SPN of the periodic task has no access permission. The MSH Vault Key creation will failed. So it is suggested to delete or annotate the tests related to the MSH Vault key (lines 567 to 654). This way, it can be merged into the repo more quickly.Thank you! |
Updated to use python-sdk
|
I've updated the test cases to remove the MSH test cases for now. The tests run to completion for me now. |
SUMMARY
Add support for HSM in KeyVault module(s)
ISSUE TYPE
COMPONENT NAME
plugins/modules/azure_rm_keyvault.py
plugins/modules/azure_rm_keyvault_info.py
plugins/modules/azure_rm_keyvaultsecuritydomain.py
ADDITIONAL INFORMATION
The vendored_sdks is copied directiy from azure-cli. It doesn't seem to be packaged in the azure-python-sdk which is where I think it should go.