Skip to content

EKM public facing endpoints #38258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-Microsoft.KeyVault-2026-01-01-preview
Choose a base branch
from
Open

EKM public facing endpoints #38258

wants to merge 1 commit into from

Conversation

@vasanthrajams
Copy link
Contributor

Introducing External Key manager functionality

@github-actions
Copy link

github-actions bot commented Oct 19, 2025
edited
Loading

Next Steps to Merge

Next steps that must be taken to merge this PR:
  • ❌ The required check named Swagger Avocado has failed. Refer to the check in the PR's 'Checks' tab for details on how to fix it and consult the aka.ms/ci-fix guide


Comment generated by summarize-checks workflow run.

@github-actions github-actions bot added data-plane TypeSpec Authored with TypeSpec labels Oct 19, 2025
@github-actions
Copy link

API Change Check

APIView identified API level changes in this PR and created the following API reviews

Language API Review for Package
TypeSpec KeyVault

heaths
heaths requested changes Oct 21, 2025
View reviewed changes
specification/keyvault/Security.KeyVault.EKM/client.tsp
/**
* The External Key Manager (EKM) Get operation returns EKM connection. This operation requires ekm/read permission.
*/
#suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For older endpoints, yes. Why can't you use them for new endpoints? While it's important to maintain consistency within a service, you weren't far off from what standard operation bases provide in terms of endpoint construction. Did you even try?

chandanrr
chandanrr reviewed Oct 24, 2025
View reviewed changes
specification/keyvault/Security.KeyVault.EKM/models.tsp
*/
model EkmProxyInfo {
/**
* The highest supported proxy interface api version supported by the EKM proxy.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

duplicate word.. you can say "The highest version of proxy interface API supported by the EKM Proxy"

chandanrr
chandanrr reviewed Oct 24, 2025
View reviewed changes
specification/keyvault/Security.KeyVault.EKM/models.tsp
*/
model EkmConnection {
/**
* EKM proxy FQDM (Fully Qualified Domain Name). Only allowed characters are a-z, A-Z, 0-9, hyphen (-), dot (.), and colon (:).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FQDN

chandanrr
chandanrr reviewed Oct 24, 2025
View reviewed changes
.../keyvault/Security.KeyVault.EKM/examples/2026-01-01-preview/CreateEkmConnection-example.json
"host": "ekm-proxy.contoso.com",
"path_prefix": "/api/v1",
"server_ca_certificates": [
"MIIDXTCCAkWgAwIBAgIJAKJ5cT5dQnCuMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these valid DER format strings?
I tried wrapping them in a PEM headers (BEGIN/END CERTIFICATE), but couldn't open the resulting cer file.

chandanrr
chandanrr reviewed Oct 24, 2025
View reviewed changes
...n/keyvault/Security.KeyVault.EKM/examples/2026-01-01-preview/CheckEkmConnection-example.json
@@ -0,0 +1,19 @@
{
"parameters": {
"vaultBaseUrl": "https://myvault.vault.azure.net/",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use managed hsm base urls in these example files.

chandanrr
chandanrr reviewed Oct 24, 2025
View reviewed changes
.../keyvault/Security.KeyVault.EKM/examples/2026-01-01-preview/DeleteEkmConnection-example.json
"responses": {
"200": {
"body": {
"host": "ekm-proxy.contoso.com:8443",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the port.. just to be consistent with the createekmconnection example.

chandanrr
chandanrr approved these changes Oct 24, 2025
View reviewed changes
Copy link
Member

@chandanrr chandanrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have left minor feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@heaths heaths heaths requested changes

@vickm vickm Awaiting requested review from vickm vickm is a code owner

@chen-karen chen-karen Awaiting requested review from chen-karen chen-karen is a code owner

@cheathamb36 cheathamb36 Awaiting requested review from cheathamb36 cheathamb36 is a code owner

@chlowell chlowell Awaiting requested review from chlowell chlowell is a code owner

+1 more reviewer

@chandanrr chandanrr chandanrr approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

data-plane KeyVault TypeSpec Authored with TypeSpec

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vasanthrajams @heaths @chandanrr