Skip to content

[SQL] Support versionless key in server key, server encryption protector and database create/update #32225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
simonzhang0428 wants to merge 3 commits into from
Closed

[SQL] Support versionless key in server key, server encryption protector and database create/update #32225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9bc4fee
_get_server_key_name_from_uri
simonzhang0428 Sep 26, 2025
c4ce617
update parameter help doc for --kid
simonzhang0428 Oct 7, 2025
f124cf5
Fix style check failure
simonzhang0428 Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/azure-cli/azure/cli/command_modules/sql/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,8 +283,9 @@ def get_location_type_with_default_from_resource_group(cli_ctx):

kid_param_type = CLIArgumentType(
options_list=['--kid', '-k'],
help='The Azure Key Vault key identifier of the server key. An example key identifier is '
'"https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901"')
help='The Azure Key Vault key identifier of the server key. Supports versioned and versionless key IDs. '
'Examples: "https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901" '
'or "https://YourVaultName.vault.azure.net/keys/YourKeyName"')

server_key_type_param_type = CLIArgumentType(
options_list=['--server-key-type', '-t'],
Expand Down
26 changes: 20 additions & 6 deletions src/azure-cli/azure/cli/command_modules/sql/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4802,20 +4802,34 @@ def _get_server_key_name_from_uri(uri):
Gets the key's name to use as a SQL server key.

The SQL server key API requires that the server key has a specific name
based on the vault, key and key version.
based on the vault, key and optionally key version (supports versionless keys).
'''
import re

match = re.match(r'https://(.)+\.(managedhsm.azure.net|managedhsm-preview.azure.net|vault.azure.net|vault-int.azure-int.net|vault.azure.cn|managedhsm.azure.cn|vault.usgovcloudapi.net|managedhsm.usgovcloudapi.net|vault.microsoftazure.de|managedhsm.microsoftazure.de|vault.cloudapi.eaglex.ic.gov|vault.cloudapi.microsoft.scloud)(:443)?\/keys/[^\/]+\/[0-9a-zA-Z]+$', uri)
# Updated regex pattern that supports both versioned and versionless keys
match = re.match(r'https://(.)+\.(managedhsm.azure.net|managedhsm-preview.azure.net|vault.azure.net|vault-int.azure-int.net|vault.azure.cn|managedhsm.azure.cn|vault.usgovcloudapi.net|managedhsm.usgovcloudapi.net|vault.microsoftazure.de|managedhsm.microsoftazure.de|vault.cloudapi.eaglex.ic.gov|vault.cloudapi.microsoft.scloud|mdep.azure.net)(:443)?\/keys/[^\/]+(\/[0-9a-zA-Z]+|\/|)$', uri)
Comment thread
simonzhang0428 marked this conversation as resolved.

if match is None:
raise CLIError('The provided uri is invalid. Please provide a valid Azure Key Vault key id. For example: '
'"https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901" '
raise CLIError('The provided uri is invalid. Please provide a valid Azure Key Vault key id. For example: '
'"https://YourVaultName.vault.azure.net/keys/YourKeyName/01234567890123456789012345678901" (versioned) '
'or "https://YourVaultName.vault.azure.net/keys/YourKeyName" (versionless) '
'or "https://YourManagedHsmRegion.YourManagedHsmName.managedhsm.azure.net/keys/YourKeyName/01234567890123456789012345678901"')

vault = uri.split('.')[0].split('/')[-1]
key = uri.split('/')[-2]
version = uri.split('/')[-1]

# Handle both versioned and versionless keys
uri_parts = uri.split('/')
key = uri_parts[-2] if len(uri_parts) > 4 else uri_parts[-1]

# Check if this is a versionless key (no version or ends with '/')
if uri.endswith('/') or len(uri_parts) < 6 or uri_parts[-1] == '':
Comment thread
simonzhang0428 marked this conversation as resolved.
# Versionless key: format is vault_key
key = uri_parts[-2] if uri.endswith('/') else uri_parts[-1]
return '{}_{}'.format(vault, key)

# Versioned key: format is vault_key_version
key = uri_parts[-2]
version = uri_parts[-1]
return '{}_{}_{}'.format(vault, key, version)


Expand Down