Policy: Azure > AI Foundry > Account > Encryption at Rest > Customer Managed Key
The Key Vault key URL to use when Encryption at Rest is set to Check: Customer managed key or Enforce: Customer managed key.
Provide the key identifier URL in the form https://<vault-name>.vault.azure.net/keys/<key-name>. The key must already exist in CMDB as a Azure > Key Vault > Key resource — the control looks up the key by its kid and uses its name and vaultUrl when calling the Cognitive Services encryption API.
Leave empty to skip the Customer Managed Key sub-check (the parent Encryption at Rest policy still applies, and Check: Customer managed key will accept any customer-managed key when the URL is empty).
Note: Ensure the key vault key has the Key Vault Crypto Officer role assignment for the AI Foundry account's managed identity. The account uses its system-assigned identity to access the key.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
Setting this policy configures this control:
Policy Specification
Schema Type | |
|---|---|
Examples [YAML] | https://my-key-vault.vault.azure.net/keys/turbot-default-key |
Category
In Your Workspace
Developers
- tmod:@turbot/turbot#/control/categories/resourceEncryptionAtRest
- tmod:@turbot/azure-aifoundry#/policy/types/accountEncryptionAtRestCustomerManagedKey
- turbot graphql policy-type --id "tmod:@turbot/azure-aifoundry#/policy/types/accountEncryptionAtRestCustomerManagedKey"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-aifoundry#/policy/types/accountEncryptionAtRestCustomerManagedKey"
Get Policy TypeGet Policy Settings