Support changes for ConfidentialVMv2

[linuxelf001]

Preconditions

• No need to upgrade Python SDK or the Python SDK is ready.

Related command

az disk create
az disk grant-access

Resource Provider

Microsoft.Compute/disks, Microsoft.Compute/snapshots

Description of Feature or Work Requested

Feature request to add output value, new parameter for following commands to support Confidential VM OS Disks

az disk create
az disk grant-access

Feature request is to provide customers with Confidential VM disk management:

Import managed OS disk for Confidential VM with an additional attribute in the request - securityMetadataUri
Export managed OS disk for Confidential VM returns an additional attribute in the response - securityMetadataAccessSAS

1. az disk create

   New Parameter
   --security-metadata-uri
   New string parameter --security-metadata-uri for command az disk create:

   Allows customer to pass Blob URI for VM Metadata VHD.
   When specified, the command should interpret that disk will be imported from un-managed VHD in storage account or another managed disk for Confidential VM OS Disk Security Type.
   This is the URI of a blob to be imported into VM metadata.

2. az disk grant-access

   Output would show additional securityMetadataAccessSAS in response.

Examples:

1. Secure Import of Confidential VM OS Disk
   Create disk with --security-metadata-uri parameter:

   az disk create -n $diskName -g $resourceGroup
   -l $location --os-type Windows --hyper-v-generation V2
   --security-type "ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey"
   --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri --security-metadata-uri $metadataDiskVhdUri \
   --sku standard_lrs

2. Export of Confidential VM OS Disk

   Grant access to generate accessSas, securityDataAccessSAS, securityMetadataAccessSAS using --secure-vm-guest-state-sas parameter

   diskSas = $(az disk grant-access -n $diskName -g $resourceGroupName
   --access-level Write --duration-in-seconds 86400
   --secure-vm-guest-state-sas)

   Returned value schema:

    {
       "accessSas": "https://md-impexp-t0rdsfgsdfg4.blob.core.windows.net/w2c3mj0ksfgl/abcd?sv=2017-04-17&sr=b&si=600a9281-d39e-4cc3-91d2-923c4a696537&sig=xXaT6mFgf139ycT87CADyFxb%2BnPXBElYirYRlbnJZbs%3D",
        "securityDataAccessSAS": "VM Guest State Sas URI"
        "securityMetadataAccessSAS": "VM Metadata Sas URI"
      }
   

Minimum API Version Required

2025-01-02

Swagger PR link / SDK link

Azure/azure-rest-api-specs#35011

Request Example

No response

Target Date

2025-09-02

PM Contact

raginjup, geg, runcai

Engineer Contact

aayushkher, raharwadekar

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Trusted Launch CLI Change Request - VM Disk Snapshot & Config #22275
• Confidential Compute CLI Change Request - VM OS Disk / Disk Encryption Set Create #22200

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

I suggest that users use --secure-vm-guest-state-sas to indicate query securityDataAccessSAS instead of --secure-vm-guest-state-sas True, because there is no case for --secure-vm-guest-state-sas False, so the user's input should be simplified.

Reference:

• Trusted Launch CLI Change Request - VM Disk Snapshot & Config #22275 (comment)

Solution 2:

CLI will query disk resources created using az disk create command and if --for-upload is set to secureOsUpload then --secure-vm-guest-state-sas switch will be auto-added in az disk grant-access command. Additionally, --for-upload parameter will continue to support true as alias for nonSecureOsUpload with warning message that true will be deprecated in future and preferably with link where end users can read about difference between secureOsUpload and nonSecureOsUpload.

Reference:

• Trusted Launch CLI Change Request - VM Disk Snapshot & Config #22275 (comment)

Solution 3:

For parameter --secure-vm-guest-state-sas, if we can publish example in docs on how to use the returned VM Guest State SAS URL for uploading disk with security data, that'll be helpful.

Reference:

• Trusted Launch CLI Change Request - VM Disk Snapshot & Config #22275 (comment)

Powered by issue-sentinel