search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.69k stars 5.12k forks source link

Cannot Use CMK with User Assigned Identity for Cognitive Service Face API #18726

Open myc2h6o opened 2 years ago

myc2h6o commented 2 years ago

Hi, I'm testing the customer-managed key of Cognitive Service Face API, it works fine if I use System-assigned managed identity, but not with User-assigned managed identity. I also tested the Cognitive Service Speech Service, both System-assigned and User-assigned managed identity work fine for it. Would like to know if this is a restriction for Face API or a bug. Thanks!

I created the resources on Azure Portal, and updated the encryption settings for Speech Service and Face API using REST API, below is the detail of the REST API requests:

Speech Service (Succeed with identityClientId):

PATCH https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/yicma-cognitive/providers/Microsoft.CognitiveServices/accounts/yicma-speech-service?api-version=2022-03-01

{
    "properties": {
        "Encryption": {
            "KeySource": "Microsoft.KeyVault",
            "KeyVaultProperties": {
                "KeyName": "key0",
                "keyversion": "f3c815d306024db2a006663c8ec76c8a",
                "KeyVaultUri": "https://yicmakv20220419.vault.azure.net",
                "identityClientId": "c770523f-a326-4558-a5ca-da9e9b2ee4ca"
            }
        }
    }
}

Response code is 200, and I checked with a GET request, the encryption property is set successfully

Face API (Not working)

PATCH https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/yicma-cognitive/providers/Microsoft.CognitiveServices/accounts/yicma-face-api?api-version=2022-03-01

{
    "properties": {
        "Encryption": {
            "KeySource": "Microsoft.KeyVault",
            "KeyVaultProperties": {
                "KeyName": "key0",
                "keyversion": "f3c815d306024db2a006663c8ec76c8a",
                "KeyVaultUri": "https://yicmakv20220419.vault.azure.net/",
                "identityClientId": "c770523f-a326-4558-a5ca-da9e9b2ee4ca"
            }
        }
    }
}

Responce code is 202, and after a while, I checked with a GET request when `provisioningState` becomes `Succeeded`, the encryption property is not present
ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details
Hi, I'm testing the [customer-managed key](https://docs.microsoft.com/azure/cognitive-services/face/encrypt-data-at-rest#enable-customer-managed-keys-for-your-resource) of Cognitive Service Face API, it works fine if I use System-assigned managed identity, but not with User-assigned managed identity. I also tested the [Cognitive Service Speech Service](https://docs.microsoft.com/azure/cognitive-services/speech-service/speech-encryption-of-data-at-rest), both System-assigned and User-assigned managed identity work fine for it. Would like to know if this is a restriction for Face API or a bug. Thanks! I created the resources on Azure Portal, and updated the encryption settings for Speech Service and Face API using REST API, below is the detail of the REST API requests: Speech Service (Succeed with identityClientId): ``` PATCH https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/yicma-cognitive/providers/Microsoft.CognitiveServices/accounts/yicma-speech-service?api-version=2022-03-01 { "properties": { "Encryption": { "KeySource": "Microsoft.KeyVault", "KeyVaultProperties": { "KeyName": "key0", "keyversion": "f3c815d306024db2a006663c8ec76c8a", "KeyVaultUri": "https://yicmakv20220419.vault.azure.net", "identityClientId": "c770523f-a326-4558-a5ca-da9e9b2ee4ca" } } } } Response code is 200, and I checked with a GET request, the encryption property is set successfully ``` Face API (Not working) ``` PATCH https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/yicma-cognitive/providers/Microsoft.CognitiveServices/accounts/yicma-face-api?api-version=2022-03-01 { "properties": { "Encryption": { "KeySource": "Microsoft.KeyVault", "KeyVaultProperties": { "KeyName": "key0", "keyversion": "f3c815d306024db2a006663c8ec76c8a", "KeyVaultUri": "https://yicmakv20220419.vault.azure.net/", "identityClientId": "c770523f-a326-4558-a5ca-da9e9b2ee4ca" } } } } Responce code is 202, and after a while, I checked with a GET request when `provisioningState` becomes `Succeeded`, the encryption property is not present ```
Author: myc2h6o
Assignees: -
Labels: `question`, `KeyVault`, `Service Attention`, `customer-reported`, `needs-triage`
Milestone: -