Tuesday, October 19, 2021

Azure Runbook to add VMMS ID to KeyVault access policy

#Comment: Make sure you are not using Application ID parameter while adding access policy as it will add the identity as on behalf of.

# PowerShell code

########################################################

# Parameters

########################################################

[CmdletBinding()]

param(

    [Parameter(Mandatory=$True,Position=0)]

    [string]$NPResourceGroupName,

 

    [Parameter(Mandatory=$True,Position=1)]

    [string]$NPWebVmssID,

 

    [Parameter(Mandatory=$True,Position=2)]

    [string]$NPEngVmssID,

 

    [Parameter(Mandatory=$False,Position=3)]

    [string]$NPPayVmssID,


    [Parameter(Mandatory=$False,Position=4)]

    [string]$NPMasterKeyvaultName,


    [Parameter(Mandatory=$False,Position=5)]

    [string]$NPWebKeyvaultName

)

 

# Keep track of time

$StartDate=(GET-DATE)

 

 

 

########################################################

# Log in to Azure with AZ (standard code)

########################################################

Write-Verbose -Message 'Connecting to Azure'

  

# Name of the Azure Run As connection

$ConnectionName = 'AzureRunAsConnection'

try

{

    # Get the connection properties

    $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName      

   

    'Log in to Azure...'

    $null = Connect-AzAccount `

        -ServicePrincipal `

        -TenantId $ServicePrincipalConnection.TenantId `

        -ApplicationId $ServicePrincipalConnection.ApplicationId `

        -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint 

}

catch 

{

    if (!$ServicePrincipalConnection)

    {

        # You forgot to turn on 'Create Azure Run As account' 

        $ErrorMessage = "Connection $ConnectionName not found."

        throw $ErrorMessage

    }

    else

    {

        # Something else went wrong

        Write-Error -Message $_.Exception.Message

        throw $_.Exception

    }

}


try

{


#Adding to master keyvault

Write-Verbose -Message 'Adding to master keyvault'


# Web vmss

$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID


Write-Verbose -Message 'Adding webvmssid'

'Adding webvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityWeb.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Eng vmss

$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID


Write-Verbose -Message 'Adding engvmssid'

'Adding engvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityEng.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Pay vmss

$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID


Write-Verbose -Message 'Adding payvmssid'

'Adding payvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityPay.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


#Adding to web keyvault

Write-Verbose -Message 'Adding to master keyvault'


# Web vmss

#$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID


Write-Verbose -Message 'Adding webvmssid'

'Adding webvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityWeb.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Eng vmss

#$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID


Write-Verbose -Message 'Adding engvmssid'

'Adding engvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityEng.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Pay vmss

#$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID


Write-Verbose -Message 'Adding payvmssid'

'Adding payvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityPay.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


}

catch 

{

    Write-Error -Message $_.Exception.Message

    throw $_.Exception

}

No comments:

Post a Comment