Showing posts with label Access Policy. Show all posts
Showing posts with label Access Policy. Show all posts

Tuesday, October 19, 2021

Azure Runbook to add VMMS ID to KeyVault access policy

#Comment: Make sure you are not using Application ID parameter while adding access policy as it will add the identity as on behalf of.

# PowerShell code

########################################################

# Parameters

########################################################

[CmdletBinding()]

param(

    [Parameter(Mandatory=$True,Position=0)]

    [string]$NPResourceGroupName,

 

    [Parameter(Mandatory=$True,Position=1)]

    [string]$NPWebVmssID,

 

    [Parameter(Mandatory=$True,Position=2)]

    [string]$NPEngVmssID,

 

    [Parameter(Mandatory=$False,Position=3)]

    [string]$NPPayVmssID,


    [Parameter(Mandatory=$False,Position=4)]

    [string]$NPMasterKeyvaultName,


    [Parameter(Mandatory=$False,Position=5)]

    [string]$NPWebKeyvaultName

)

 

# Keep track of time

$StartDate=(GET-DATE)

 

 

 

########################################################

# Log in to Azure with AZ (standard code)

########################################################

Write-Verbose -Message 'Connecting to Azure'

  

# Name of the Azure Run As connection

$ConnectionName = 'AzureRunAsConnection'

try

{

    # Get the connection properties

    $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName      

   

    'Log in to Azure...'

    $null = Connect-AzAccount `

        -ServicePrincipal `

        -TenantId $ServicePrincipalConnection.TenantId `

        -ApplicationId $ServicePrincipalConnection.ApplicationId `

        -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint 

}

catch 

{

    if (!$ServicePrincipalConnection)

    {

        # You forgot to turn on 'Create Azure Run As account' 

        $ErrorMessage = "Connection $ConnectionName not found."

        throw $ErrorMessage

    }

    else

    {

        # Something else went wrong

        Write-Error -Message $_.Exception.Message

        throw $_.Exception

    }

}


try

{


#Adding to master keyvault

Write-Verbose -Message 'Adding to master keyvault'


# Web vmss

$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID


Write-Verbose -Message 'Adding webvmssid'

'Adding webvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityWeb.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Eng vmss

$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID


Write-Verbose -Message 'Adding engvmssid'

'Adding engvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityEng.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Pay vmss

$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID


Write-Verbose -Message 'Adding payvmssid'

'Adding payvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityPay.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


#Adding to web keyvault

Write-Verbose -Message 'Adding to master keyvault'


# Web vmss

#$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID


Write-Verbose -Message 'Adding webvmssid'

'Adding webvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityWeb.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Eng vmss

#$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID


Write-Verbose -Message 'Adding engvmssid'

'Adding engvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityEng.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Pay vmss

#$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID


Write-Verbose -Message 'Adding payvmssid'

'Adding payvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityPay.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


}

catch 

{

    Write-Error -Message $_.Exception.Message

    throw $_.Exception

}

Posted by at No comments:
Labels: , , ,

Tuesday, September 14, 2021

Add Virtual Machine Scale Set (VMSS) Managed Identity to Azure Key Vault Access Policy- Powershell

 The below Powershell script will help you to add VMSS managed identity to Azure Key vault access policy.

#First, Get the identity Object ID and application Id based on the managed identity name

$identity = Get-AzUserAssignedIdentity -ResourceGroupName "RGName" -Name "sample-vmssid"


# $identity.ClienId is the Application ID and $identity.PrincipalID is the Object ID. You can run the below command by passing parameters and permissions required to be set to the Key vault

Set-AzKeyVaultAccessPolicy -ResourceGroupName "RGName" -VaultName "VaultName-kvt" -ObjectId $identity.PrincipalId -ApplicationId $identity.ClientId -PermissionsToKeys get,list,unwrapKey,wrapKey -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create


#Thats it and you can see the vmss managed identity in the access policy for key vault.


#You can do the above using Azure CLI as well like below

spObjectID=$(az resource list -n vmss_name --query [*].identity.principalId --out tsv)

az keyvault set-policy -n vaultname-kvt --key-permissions get list wrapKey unwrapKey --secret-permissions backup restore --certificate-permissions get list delete create --object-id spObjectID


**Always share your knowledge**

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)