Showing posts with label Azure Key Vault. Show all posts
Showing posts with label Azure Key Vault. Show all posts

Tuesday, October 19, 2021

Azure Runbook to add VMMS ID to KeyVault access policy

#Comment: Make sure you are not using Application ID parameter while adding access policy as it will add the identity as on behalf of.

# PowerShell code

########################################################

# Parameters

########################################################

[CmdletBinding()]

param(

    [Parameter(Mandatory=$True,Position=0)]

    [string]$NPResourceGroupName,

 

    [Parameter(Mandatory=$True,Position=1)]

    [string]$NPWebVmssID,

 

    [Parameter(Mandatory=$True,Position=2)]

    [string]$NPEngVmssID,

 

    [Parameter(Mandatory=$False,Position=3)]

    [string]$NPPayVmssID,


    [Parameter(Mandatory=$False,Position=4)]

    [string]$NPMasterKeyvaultName,


    [Parameter(Mandatory=$False,Position=5)]

    [string]$NPWebKeyvaultName

)

 

# Keep track of time

$StartDate=(GET-DATE)

 

 

 

########################################################

# Log in to Azure with AZ (standard code)

########################################################

Write-Verbose -Message 'Connecting to Azure'

  

# Name of the Azure Run As connection

$ConnectionName = 'AzureRunAsConnection'

try

{

    # Get the connection properties

    $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName      

   

    'Log in to Azure...'

    $null = Connect-AzAccount `

        -ServicePrincipal `

        -TenantId $ServicePrincipalConnection.TenantId `

        -ApplicationId $ServicePrincipalConnection.ApplicationId `

        -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint 

}

catch 

{

    if (!$ServicePrincipalConnection)

    {

        # You forgot to turn on 'Create Azure Run As account' 

        $ErrorMessage = "Connection $ConnectionName not found."

        throw $ErrorMessage

    }

    else

    {

        # Something else went wrong

        Write-Error -Message $_.Exception.Message

        throw $_.Exception

    }

}


try

{


#Adding to master keyvault

Write-Verbose -Message 'Adding to master keyvault'


# Web vmss

$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID


Write-Verbose -Message 'Adding webvmssid'

'Adding webvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityWeb.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Eng vmss

$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID


Write-Verbose -Message 'Adding engvmssid'

'Adding engvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityEng.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Pay vmss

$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID


Write-Verbose -Message 'Adding payvmssid'

'Adding payvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPMasterKeyvaultName -ObjectId $identityPay.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


#Adding to web keyvault

Write-Verbose -Message 'Adding to master keyvault'


# Web vmss

#$identityWeb = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPWebVmssID


Write-Verbose -Message 'Adding webvmssid'

'Adding webvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityWeb.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Eng vmss

#$identityEng = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPEngVmssID


Write-Verbose -Message 'Adding engvmssid'

'Adding engvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityEng.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


# Pay vmss

#$identityPay = Get-AzUserAssignedIdentity -ResourceGroupName $NPResourceGroupName -Name $NPPayVmssID


Write-Verbose -Message 'Adding payvmssid'

'Adding payvmssid'

Set-AzKeyVaultAccessPolicy `

 -ResourceGroupName $NPResourceGroupName -VaultName $NPWebKeyvaultName -ObjectId $identityPay.PrincipalId `

 -PermissionsToKeys get,list,unwrapKey,wrapKey `

 -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create -BypassObjectIdValidation


}

catch 

{

    Write-Error -Message $_.Exception.Message

    throw $_.Exception

}

Posted by at No comments:
Labels: , , ,

Tuesday, September 14, 2021

Add Virtual Machine Scale Set (VMSS) Managed Identity to Azure Key Vault Access Policy- Powershell

 The below Powershell script will help you to add VMSS managed identity to Azure Key vault access policy.

#First, Get the identity Object ID and application Id based on the managed identity name

$identity = Get-AzUserAssignedIdentity -ResourceGroupName "RGName" -Name "sample-vmssid"


# $identity.ClienId is the Application ID and $identity.PrincipalID is the Object ID. You can run the below command by passing parameters and permissions required to be set to the Key vault

Set-AzKeyVaultAccessPolicy -ResourceGroupName "RGName" -VaultName "VaultName-kvt" -ObjectId $identity.PrincipalId -ApplicationId $identity.ClientId -PermissionsToKeys get,list,unwrapKey,wrapKey -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create


#Thats it and you can see the vmss managed identity in the access policy for key vault.


#You can do the above using Azure CLI as well like below

spObjectID=$(az resource list -n vmss_name --query [*].identity.principalId --out tsv)

az keyvault set-policy -n vaultname-kvt --key-permissions get list wrapKey unwrapKey --secret-permissions backup restore --certificate-permissions get list delete create --object-id spObjectID


**Always share your knowledge**

Posted by at No comments:
Labels: , ,

Monday, September 6, 2021

Backup objects into another vault in another subscription

 How to: Backup objects into another vault in another subscription

In this section, I'm getting the secret values and saving them into another vault directly. We want to do this without touching any disk files.

With this approach, we're simply fetching all secrets from Vault1 in Subscription1, and saving them to Vault2 in Subscription2. However, remember that the secrets we fetch now are not encrypted to your subscription, hence it's not a good idea to persist them in memory, sessions or disk. Here I'm not saving it to any variables.

Make sure you have installed Azure CLI for windows in order to run the below script.


Param(

    [parameter(mandatory)] [string] $sourceVaultName,

    [parameter(mandatory)] [string] $sourceSubscriptionId,

    [parameter(mandatory)] [string] $destinationVaultName,

    [parameter(mandatory)] [string] $destinationSubscriptionId,

    [string] $destinationSecretsDisable = $true

)


# 1. Set the source subscription id. 

Write-Host "Setting origin subscription to: $($sourceSubscriptionId)..."

az account set -s $sourceSubscriptionId


# 1.1 Get all secrets

Write-Host "Listing all origin secrets from vault: $($sourceVaultName)"

$originSecretKeys = az keyvault secret list --vault-name $sourceVaultName  -o json --query "[].name"  | ConvertFrom-Json


# 1.3 Loop the secrets, and push the value to the destination vault without instantiating new variables.

$originSecretKeys | ForEach-Object {

    $secretName = $_

    Write-Host " - Getting '$($secretName)' from origin, and setting in destination..."

    az keyvault secret set --name $secretName --vault-name $destinationVaultName -o none --value(az keyvault secret show --name $secretName --vault-name $sourceVaultName -o json --query "value")

}


Write-Host "Secrets restored."


You can call the above script as mentioned below

.\CopySecretsToAnotherVault.ps1 -originVault "vault1-name" -originSubscriptionId "SUBSCRIPTION GUID" -destinationVault "vault2-name" -destinationSubscriptionId "SUBSCRIPTION GUID"

Posted by at No comments:
Labels: ,

Passing Keyvault certificates to Virtual Machine deployment using ARM template

 

Referencing certificate from keyvault in an ARM template

You need to make sure all parameters are passed

"virtualMachineProfile": {
          "osProfile": {
            "computerNamePrefix""[variables('compnamepref')]",
            "adminUsername""[variables('adminUPN')]",
            "adminPassword""[variables('adminpswd')]",
            "windowsConfiguration": {
              "provisionVMAgent"true,
              "enableAutomaticUpdates"false
            },
            "secrets": [
              {
                "sourceVault": {
                  "id""[resourceId(parameters('RG'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
                },
                "vaultCertificates": [
                  {
                    "certificateUrl""[parameters('Cert1')]",
                    "certificateStore""My"
                  },
                  {
                    "certificateUrl""[parameters('Cert2')]",
                    "certificateStore""My"
                  }
                ]
              }
            ]
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)