#Comment: Make sure you are not using Application ID parameter while adding access policy as it will add the identity as on behalf of.
# PowerShell code
########################################################
# Parameters
########################################################
[CmdletBinding()]
param(
[Parameter(Mandatory=$True,Position=0)]
[string]$NPResourceGroupName,
[Parameter(Mandatory=$True,Position=1)]
[string]$NPWebVmssID,
[Parameter(Mandatory=$True,Position=2)]
[string]$NPEngVmssID,
[Parameter(Mandatory=$False,Position=3)]
[string]$NPPayVmssID,
[Parameter(Mandatory=$False,Position=4)]
[string]$NPMasterKeyvaultName,
[Parameter(Mandatory=$False,Position=5)]
[string]$NPWebKeyvaultName
)
# Keep track of time
$StartDate=(GET-DATE)
########################################################
# Log in to Azure with AZ (standard code)
########################################################
Write-Verbose -Message 'Connecting to Azure'
# Name of the Azure Run As connection
$ConnectionName = 'AzureRunAsConnection'
try
{
# Get the connection properties
$ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName
'Log in to Azure...'
$null = Connect-AzAccount `
-ServicePrincipal `
-TenantId $ServicePrincipalConnection.TenantId `
-ApplicationId $ServicePrincipalConnection.ApplicationId `
-CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
}
catch
{
if (!$ServicePrincipalConnection)
{
# You forgot to turn on 'Create Azure Run As account'
$ErrorMessage = "Connection $ConnectionName not found."
throw $ErrorMessage
}
else
{
# Something else went wrong
Write-Error -Message $_.Exception.Message
throw $_.Exception
}
}
try
{
#Adding to master keyvault
Write-Verbose -Message 'Adding to master keyvault'
# Web vmss
$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID
Write-Verbose -Message 'Adding webvmssid'
'Adding webvmssid'
Set-AzKeyVaultAccessPolicy `
-ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityWeb.PrincipalId `
-PermissionsToKeys get,list,unwrapKey,wrapKey `
-PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation
# Eng vmss
$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID
Write-Verbose -Message 'Adding engvmssid'
'Adding engvmssid'
Set-AzKeyVaultAccessPolicy `
-ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityEng.PrincipalId `
-PermissionsToKeys get,list,unwrapKey,wrapKey `
-PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation
# Pay vmss
$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID
Write-Verbose -Message 'Adding payvmssid'
'Adding payvmssid'
Set-AzKeyVaultAccessPolicy `
-ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityPay.PrincipalId `
-PermissionsToKeys get,list,unwrapKey,wrapKey `
-PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation
#Adding to web keyvault
Write-Verbose -Message 'Adding to master keyvault'
# Web vmss
#$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID
Write-Verbose -Message 'Adding webvmssid'
'Adding webvmssid'
Set-AzKeyVaultAccessPolicy `
-ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityWeb.PrincipalId `
-PermissionsToKeys get,list,unwrapKey,wrapKey `
-PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation
# Eng vmss
#$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID
Write-Verbose -Message 'Adding engvmssid'
'Adding engvmssid'
Set-AzKeyVaultAccessPolicy `
-ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityEng.PrincipalId `
-PermissionsToKeys get,list,unwrapKey,wrapKey `
-PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation
# Pay vmss
#$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID
Write-Verbose -Message 'Adding payvmssid'
'Adding payvmssid'
Set-AzKeyVaultAccessPolicy `
-ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityPay.PrincipalId `
-PermissionsToKeys get,list,unwrapKey,wrapKey `
-PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation
}
catch
{
Write-Error -Message $_.Exception.Message
throw $_.Exception
}