Add Azure CMEK support and improve documentation structure #20022
+123
−11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
sanchit-CRL
reviewed
Jul 30, 2025
| @@ -14,7 +14,6 @@ CockroachDB {{ site.data.products.advanced }} clusters on Azure have the followi | |||
|
|
|||
| - A cluster must have at minimum three nodes. A multi-region cluster must have at minimum three nodes per region. Single-node clusters are not supported on Azure. | |||
| - The following [PCI-Ready]({% link cockroachcloud/pci-dss.md %}) and HIPAA features are not yet available on Azure. However, CockroachDB {{ site.data.products.advanced }} on Azure meets or exceeds the requirements of SOC 2 Type 2. Refer to [Regulatory Compliance in CockroachDB {{ site.data.products.advanced }}]({% link cockroachcloud/compliance.md %}). | |||
| - [Customer Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}) | |||
| - [Egress Perimeter Controls]({% link cockroachcloud/egress-perimeter-controls.md %}) | |||
There was a problem hiding this comment.
Egress Perimeter control and CMEK both will be supported for Azure post the release to make Azure PCI compliant.
| @@ -106,6 +110,14 @@ This section shows how to enable CMEK on a CockroachDB {{ site.data.products.adv | |||
| ~~~ | |||
| </section> | |||
|
|
|||
| <section class="filter-content" markdown="1" data-scope="azure"> | |||
|
|
|||
| 1. Make a note of your {{ site.data.products.cloud }} organization ID in the [Organization settings page](https://cockroachlabs.cloud/settings). | |||
There was a problem hiding this comment.
There is no need of the org ID in case of enabling CMEK on Azure, so we may remove this
| <section class="filter-content" markdown="1" data-scope="azure"> | ||
|
|
||
| 1. Make a note of your {{ site.data.products.cloud }} organization ID in the [Organization settings page](https://cockroachlabs.cloud/settings). | ||
| 1. Find your {{ site.data.products.advanced }} cluster's ID. From the CockroachDB {{ site.data.products.cloud }} console [Clusters list](https://cockroachlabs.cloud/clusters), click the name of a cluster to open its **Cluster Overview** page. From the page's URL make a note of the **last 12 digits** of the portion of the URL before `/overview/`. This is the cluster ID. |
There was a problem hiding this comment.
In case of Azure the cluster id is the entire uuid and not just the last 12 digits.
| This creates an enterprise application in your Azure tenant that CockroachDB Cloud can use to access your Key Vault. It is named using the following format: | ||
|
|
||
| ~~~ | ||
| ClusterIdentity-<azure_cluster_identity_client_id> |
There was a problem hiding this comment.
This has been renamed to CockroachDB Cloud - <CLUSTER_ID> also azure_cluster_identity_client_id is not the place holder here, rather the cluster id is the place holder
|
|
||
| 1. In the Azure portal, navigate to your Key Vault > **Access control (IAM)** > **Add role assignment**. | ||
| 1. Select the **Key Vault Crypto Officer** role, and select the option to assign access to **User, group, or service principal**. | ||
| 1. Click **Select members**, then search for the enterprise application created above: `ClusterIdentity-<azure_cluster_identity_client_id>` |
There was a problem hiding this comment.
Suggested change
| 1. Click **Select members**, then search for the enterprise application created above: `ClusterIdentity-<azure_cluster_identity_client_id>` | |
| 1. Click **Select members**, then search for the enterprise application created above: `CockroachDB Cloud - <CLUSTER_ID>` |
| @@ -332,6 +382,23 @@ Make a note of the key ring name. | |||
|
|
|||
| Click **SAVE**. Make a note of the key ring name. | |||
|
|
|||
| </section> | |||
|
|
|||
| <section class="filter-content" markdown="1" data-scope="azure"> | |||
There was a problem hiding this comment.
This section doesn't appear in the Step 2. Create the CMEK key in the Azure tab, in the documentation link specified in the PR
Also I feel the IAM permission In the Azure portal, navigate to your Key Vault > **Access control (IAM)** > **Add role assignment**. must be given post the key creation step.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DOC-9889
Summary:
This PR documents the new Customer-Managed Encryption Keys (CMEK) support for CockroachDB Cloud Advanced clusters on Microsoft Azure, enabling customers to use their own encryption keys stored in Azure Key Vault.
To preview the updated pages:
(click the Azure tab)
Changes:
managing-cmek.mdcmek.mdcockroachdb-advanced-on-azure.md- Removed CMEK from list of features "not yet available on Azure"releases/cloud.md- Added release note announcing Azure CMEK availability