yonzhan
commented
5 months ago Thank you for opening this issue, we will look into it.
Closed praenubilus closed 4 months ago
yonzhan
commented
5 months ago Thank you for opening this issue, we will look into it.
Related command
Is your feature request related to a problem? Please describe. Today default CVM SKR Policy is pull from a public Github repo
https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json . This will hit performance issue with the expanding default policy file and also raising security concerns.
Describe the solution you'd like We have decided to replace the current implementation with MAA Service Discovery API to get regional default provider and fill it in the template as following:
The service discovery API from MAA:
Here is a reference application in Azure Powershell for default provider by location
This REST API is call to ARM, so all that's required is an Azure subscription and an identity (e.g., user, service principal, MSI identity, etc.) with RBAC permissions to access that subscription's resources.
For mooncake, Fairfax, USNAT and USSec the API part
/subscriptions/{your_subscription}/providers/Microsoft.Attestation/Locations/{your_location}/defaultProvider?api-version=2020-10-01remain the same. But the arm endpointhttps://management.azure.com/will be different (see below),Describe alternatives you've considered NA
Additional context The current implementation in the repo: https://github.com/evelyn-ys/azure-cli/blob/f80e7d293c730547742871957e18eaac0f95cfb4/src/azure-cli/azure/cli/command_modules/keyvault/_validators.py#L29