Your GKE on Azure
service principal with
permissions to manage the Azure Key Vault authorization and encrypt data
with the provided key.
The easiest way to grant these permissions is to assign the
Key Vault Crypto Officer and User Access AdministratorAzure built-in roles
to the service principal.
Bring your own key
To bring your own key, perform the following steps:
Save your Azure Key Vault key ID into an environment variable.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Bring your own key from a hardware security module\n==================================================\n\nThis topic explains how you can use your own Azure Key Vault hardware security\nmodule (HSM) key for at-rest encryption on GKE on Azure.\n\nBefore you begin\n----------------\n\nBefore performing these steps, ensure that you're familiar with the\n[Security](/kubernetes-engine/multi-cloud/docs/azure/concepts/security) architecture of GKE on Azure.\n\nTo perform these steps, you must have the following:\n\n- An [Azure-supported HSM](https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys#supported-hsms)\n\n- An Azure Key Vault with the\n [Azure role-based access control](https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide)\n permission model.\n\n- An\n [HSM-protected key imported into Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok)\n\n- Your GKE on Azure\n [service principal](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application) with\n permissions to manage the Azure Key Vault authorization and encrypt data\n with the provided key.\n\n The easiest way to grant these permissions is to assign the\n `Key Vault Crypto Officer` and `User Access Administrator`\n [Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)\n to the service principal.\n\n### Bring your own key\n\nTo bring your own key, perform the following steps:\n\n1. Save your Azure Key Vault key ID into an environment variable.\n\n export KEY_VAULT_ID=\"$(az keyvault show --name ${KEY_VAULT_NAME} \\\n --resource-group ${RESOURCE_GROUP} --query id -otsv)\"\n export KEY_VAULT_KEY_ID=\"${KEY_VAULT_ID}/keys/${KEY_NAME}\"\n\n2. Pass the key's IDs in the\n [`--config-encryption-key-id`](/sdk/gcloud/reference/container/azure/clusters/create#--config-encryption-key-id)\n parameter when you [Create a cluster](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-cluster).\n\n gcloud container azure clusters create \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --config-encryption-key-id ${KEY_VAULT_KEY_ID} \\\n ...\n\n3. Continue with the steps in\n [Create a cluster](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-cluster).\n\nWhat's next\n-----------\n\nSee [About keys](https://docs.microsoft.com/azure/key-vault/keys/about-keys)\nin the Azure documentation."]]
