New-AzCosmosDbClientEncryptionKey

Module:: Az.CosmosDB Module

Creates a new CosmosDB Client Encryption Key.

Syntax

ByNameParameterSet (Default)

New-AzCosmosDbClientEncryptionKey
    -ResourceGroupName <String>
    -AccountName <String>
    -DatabaseName <String>
    -Name <String>
    -EncryptionAlgorithmName <String>
    -KeyWrapMetadata <PSSqlKeyWrapMetadata>
    [-KeyEncryptionKeyResolver <IKeyEncryptionKeyResolver>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ByParentObjectParameterSet

New-AzCosmosDbClientEncryptionKey
    -Name <String>
    -EncryptionAlgorithmName <String>
    -KeyWrapMetadata <PSSqlKeyWrapMetadata>
    -SqlDatabaseObject <PSSqlDatabaseGetResults>
    [-KeyEncryptionKeyResolver <IKeyEncryptionKeyResolver>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The New-AzCosmosDbClientEncryptionKey creates a new CosmosDB Client Encryption Key.

Examples

Example 1

$myKeyWrapMetadataObject = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlKeyWrapMetadata]::new([Microsoft.Azure.Management.CosmosDB.Models.KeyWrapMetadata]::new("myKekV1","AZURE_KEY_VAULT", "https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71", "RSA-OAEP"))
New-AzCosmosDbClientEncryptionKey -AccountName myAccountName -DatabaseName myDatabaseName -ResourceGroupName myRgName -Name myClientEncryptionKeyName -EncryptionAlgorithmName "AEAD_AES_256_CBC_HMAC_SHA256" -KeyWrapMetadata $myKeyWrapMetadataObject

Name     : myContainerName
Id       : /subscriptions/mySubscriptionId/resourceGroups/myRgName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlDatabases/myDatabaseName/clientEncryptionKeys/myClientEncryptionKeyName
Resource : Microsoft.Azure.Commands.CosmosDB.Models.PSSqlClientEncryptionKeyGetPropertiesResource

This example shows how a new key is created. If KeyEncryptionKeyResolver is not passed Azure Key Vault KeyResolver is used by default. The first command creates a KeyWrapMetadata object with name myKekV1 of type AZURE_KEY_VAULT with value set to key id https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71 and algorithm type "RSA-OAEP" used to encrypt the key. In the second command a new key is created with name as set in myClientEncryptionKeyName variable and with KeyWrapMetadata set to value returned by first command.

Example 2

$myKeyWrapMetadataObject = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlKeyWrapMetadata]::new([Microsoft.Azure.Management.CosmosDB.Models.KeyWrapMetadata]::new("myKekV1","AZURE_KEY_VAULT", "https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71", "RSA-OAEP"))
$azureKeyVaultKeyResolver = [Azure.Security.KeyVault.Keys.Cryptography.KeyResolver]::new([Azure.Identity.DefaultAzureCredential]::new())
New-AzCosmosDbClientEncryptionKey -AccountName myAccountName -DatabaseName myDatabaseName -ResourceGroupName myRgName -Name myClientEncryptionKeyName -EncryptionAlgorithmName "AEAD_AES_256_CBC_HMAC_SHA256" -KeyWrapMetadata $myKeyWrapMetadataObject -KeyEncryptionKeyResolver $azureKeyVaultKeyResolver

Name     : myContainerName
Id       : /subscriptions/mySubscriptionId/resourceGroups/myRgName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlDatabases/myDatabaseName/clientEncryptionKeys/myClientEncryptionKeyName
Resource : Microsoft.Azure.Commands.CosmosDB.Models.PSSqlClientEncryptionKeyGetPropertiesResource

This example shows how a new key is created and how KeyEncryptionKeyResolver can be passed as a parameter. The first command creates a KeyWrapMetadata object with name myKekV1 of type AZURE_KEY_VAULT with value set to key id https://contoso.vault.azure.net/keys/myKekV1/78deebed173b48e48f55abf87ed4cf71 and algorithm type "RSA-OAEP" used to encrypt the key. The second command creates a Azure Key Vault KeyResolver object using the Azure Default credentials. In the third command a new key is created with name as set in myClientEncryptionKeyName variable, KeyWrapMetadata set to value returned by first command and KeyEncryptionKeyResolver value set to KeyResolver object obtained via the second command.

Parameters

-AccountName

Name of the Cosmos DB database account.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByNameParameterSet

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DatabaseName

Database name.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByNameParameterSet

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-EncryptionAlgorithmName

Client Encryption Algorithm name.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-KeyEncryptionKeyResolver

IKeyEncryptionKeyResolver interface of type Azure.Core.Cryptography.IKeyEncryptionKeyResolver

Parameter properties

Type:	IKeyEncryptionKeyResolver
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-KeyWrapMetadata

KeyWrapMetaData Object of type Microsoft.Azure.Commands.CosmosDB.PSSqlKeyWrapMetadata.

Parameter properties

Type:	PSSqlKeyWrapMetadata
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Name

Client Encryption Key name.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	ClientEncryptionKeyName

Parameter sets

(All)

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ResourceGroupName

Name of resource group.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByNameParameterSet

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-SqlDatabaseObject

Sql Database object.

Parameter properties

Type:	PSSqlDatabaseGetResults
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByParentObjectParameterSet

Position:	Named
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Share via

New-AzCosmosDbClientEncryptionKey

Syntax

ByNameParameterSet (Default)

ByParentObjectParameterSet

Description

Examples

Example 1

Example 2

Parameters

-AccountName

Parameter properties

Parameter sets

-Confirm

Parameter properties

Parameter sets

-DatabaseName

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-EncryptionAlgorithmName

Parameter properties

Parameter sets

-KeyEncryptionKeyResolver

Parameter properties

Parameter sets

-KeyWrapMetadata

Parameter properties

Parameter sets

-Name

Parameter properties

Parameter sets

-ResourceGroupName

Parameter properties

Parameter sets

-SqlDatabaseObject

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

PSSqlKeyWrapMetadata

Byte

Microsoft.Data.Encryption.Cryptography.EncryptionKeyStoreProvider

PSSqlDatabaseGetResults

Outputs

PSSqlClientEncryptionKeyGetResults

ConflictingResourceException

Related Links

Feedback