Var kustoManagementClient = new KustoManagementClient(credentials) Var credentials = new TokenCredentials(result.AccessToken, result.TokenType) Define scopes for accessing Azure management planeĪuthenticationResult result = authClient.AcquireTokenForClient(scopes).ExecuteAsync().Result WithCertificate to authenticate with an X.509 certificate WithClientSecret(clientSecret) // can be replaced by. Var authClient = ConfidentialClientApplicationBuilder.Create(clientId) Create a confidential authentication client for Azure AD: Var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx" Var clientSecret = "PlaceholderClientSecret" // Application secret Var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx" // Application ID Update your cluster by using the following code: var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx" // Azure AD Directory (tenant) ID Configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster. Configure customer managed keysīy default, Azure Data Explorer encryption uses Microsoft-managed keys. For the flow to succeed, the application must be registered with Azure AD and you must have the credentials for application authentication, such as an Azure AD-issued application key or an Azure AD-registered X.509v2 certificate. The following code snippet demonstrates how to use the Microsoft Authentication Library (MSAL) to acquire an Azure AD application token to access your cluster. You can add role assignment at the subscription scope and get the required Azure AD Directory (tenant) ID, Application ID, and Application Secret. To run the examples in this article, create an Azure AD application and service principal that can access resources. Install the MSAL NuGet package for authentication with Azure Active Directory (Azure AD).Install the Azure Data Explorer (Kusto) NuGet package.The following sections explain how to configure customer-managed keys encryption using the Azure Data Explorer C# client. Select Off to remove the customer-managed key after it has been created. In addition, you'll be providing the required get, wrapKey, and unwrapKey permissions to your Azure Data Explorer cluster on the selected Key Vault and get the Key Vault properties. If you select system assigned identity when enabling customer-managed keys for your Azure Data Explorer cluster, you'll create a system assigned identity for the cluster if one doesn't exist. When CMK creation succeeds, you'll see a success message in Notifications. In the Encryption pane that now contains your key, select Save. If you select User Assigned, pick a user assigned identity from the dropdown. Under Identity type, select System Assigned or User Assigned. To ensure that this key always uses the latest key version, select the Always use current key version checkbox.If you select Create new to create a new Key Vault, you'll be routed to the Create Key Vault screen. In the Select key from Azure Key Vault window, select an existing Key vault from the dropdown list. In the Encryption pane, select On for the Customer-managed key setting. Select Settings > Encryption in left pane of portal. In the Azure portal, go to your Azure Data Explorer cluster resource. By default, Azure Data Explorer encryption uses Microsoft-managed keys. The following steps explain how to enable customer-managed keys encryption using the Azure portal. For more information about keys, see Key Vault keys. Only RSA keys of size 2048 are supported. To enable these properties, perform Enabling soft-delete and Enabling Purge Protection in PowerShell or Azure CLI on a new or existing key vault. These properties aren't enabled by default. To configure customer-managed keys with Azure Data Explorer, you must set two properties on the key vault: Soft Delete and Do Not Purge. This article shows you how to configure customer-managed keys. For a detailed explanation on customer-managed keys, see customer-managed keys with Azure Key Vault. The Azure Data Explorer cluster and the key vault must be in the same region, but they can be in different subscriptions. You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. For extra control over encryption keys, you can supply customer-managed keys to use for data encryption.Ĭustomer-managed keys must be stored in an Azure Key Vault. By default, data is encrypted with Microsoft-managed keys. Azure Data Explorer encrypts all data in a storage account at rest.
0 Comments
Leave a Reply. |