The below Powershell script will help you to add VMSS managed identity to Azure Key vault access policy.
#First, Get the identity Object ID and application Id based on the managed identity name
$identity = Get-AzUserAssignedIdentity -ResourceGroupName "RGName" -Name "sample-vmssid"
# $identity.ClienId is the Application ID and $identity.PrincipalID is the Object ID. You can run the below command by passing parameters and permissions required to be set to the Key vault
Set-AzKeyVaultAccessPolicy -ResourceGroupName "RGName" -VaultName "VaultName-kvt" -ObjectId $identity.PrincipalId -ApplicationId $identity.ClientId -PermissionsToKeys get,list,unwrapKey,wrapKey -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create
#Thats it and you can see the vmss managed identity in the access policy for key vault.
#You can do the above using Azure CLI as well like below
spObjectID=$(az resource list -n vmss_name --query [*].identity.principalId --out tsv)
az keyvault set-policy -n vaultname-kvt --key-permissions get list wrapKey unwrapKey --secret-permissions backup restore --certificate-permissions get list delete create --object-id spObjectID
**Always share your knowledge**
No comments:
Post a Comment