How to backup and restore the Azure Key vault that includes keys, secrets & cert along with RBAC?
One way is you can use Powershell or CLI to achieve this. after you have done an az login.
keys
Export-AzKeyVaultKey and Import-AzKeyVaultKey commands in Azure PowerShell or the az keyvault key export and az keyvault key import commands in Azure CLI to export and import keys and secrets.
Certs
Export-AzKeyVaultCertificate and Import-AzKeyVaultCertificate commands in Azure PowerShell or the az keyvault certificate export and az keyvault certificate import commands in Azure CLI.
RBAC policies
Get-AzKeyVaultAccessPolicy and Set-AzKeyVaultAccessPolicy commands in Azure PowerShell or the az keyvault show and az keyvault set-policy
CLI example of how to export the keys, certs and RBAC policies to a local file
# Authenticate to Azure
az login
# Export keys, secrets, and certificates from the key vault
keyVaultName="<key-vault-name>"
exportFolderPath="<export-folder-path>"
az keyvault key export --name "<key-name>" --vault-name $keyVaultName --file "$exportFolderPath/key.json"
az keyvault secret export --name "<secret-name>" --vault-name $keyVaultName --file "$exportFolderPath/secret.json"
az keyvault certificate export --name "<certificate-name>" --vault-name $keyVaultName --file "$exportFolderPath/certificate.json"
# Export RBAC policies from the key vault
keyVault=$(az keyvault show --name $keyVaultName)
accessPolicies=$keyVault.properties.accessPolicies
echo $accessPolicies > "$exportFolderPath/access-policies.json"
If you wanted to restore those from the local file to another key vault this will the CLI way to do it
az keyvault key import --name "<key-name>" --vault-name $keyVaultName --file "$exportFolderPath/key.json"
az keyvault secret import --name "<secret-name>" --vault-name $keyVaultName --file "$exportFolderPath/secret.json"
az keyvault certificate import --name "<certificate-name>" --vault-name $keyVaultName --file "$exportFolderPath/certificate.json"
accessPolicies=$(cat "$exportFolderPath/access-policies.json")
az keyvault set-policy --name $keyVaultName --access-policies $accessPolicies
To Back up and restore an entire keyvault
Backup-AzKeyVault -VaultName <vault_name> -FilePath <file_path>
Restore-AzKeyVault -VaultName <vault_name> -FilePath <file_path>
https://learn.microsoft.com/en-us/powershell/module/az.keyvault/backup-azkeyvault?view=azps-9.2.0
AS Ricky Gummadi said One way is you can use PowerShell or CLI to achieve this.
The other method to Backup and Restore keys, secrets, certificates is through Azure portal is as follows
To backup and restore the Azure Key vault follow the Reference Document.
Keys Backup in Key Vault:
In key vault select created keys and click on Download Backup
Secrets Backup in Key Vault:
Select created Secret then click on Download Backup
Certificates Backup in Key Vault:
Restore:
Select your key vault.
Go to the type of object (secret, key, or certificate) you want to restore.
Select Restore Backup.
Go to the location where you stored the encrypted blob.
Select OK.
Reference link
Related
I want to update the key vault secret values by getting the function app default key and service bus connection string using PowerShell/CLI script.
So, can anyone please help me out on this issue.
Based on the above requirement, We have written the below PowerShell script to pull the function app key value (default & MasterKey), function app application setting (Azure webjob storage) value.
Using those key values the script will create a secrets in the respective key vault.
Here is the PowerShell Script:
$accountInfo = az account show
$accountInfoObject = $accountInfo | ConvertFrom-Json
$subscriptionId = $accountInfoObject.id
$resourceGroup = <ResourceGroupName>
$functionName = <functionName>
$vaultname=<vaultName>
$functionkeylist = az rest --method post --uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Web/sites/$functionName/host/default/listKeys?api-version=2018-11-01"
$keylistobject = $functionkeylist | ConvertFrom-Json
##To pull the functionapp specific setting
$appsetting=az functionapp config appsettings list --name $functionName --resource-group $resourceGroup --query "[?name=='AzureWebJobsStorage'].{Value:value}" -o tsv ##pulling specific functionappsetting
##This block will create the secrets for specific app setting & functionapp key
az keyvault secret set --name $functionName'defaultkey' --vault-name $vaultname --value $keylistobject.functionKeys.default
az keyvault secret set --name $functionName'masterkey' --vault-name $vaultname --value $keylistobject.masterKey
az keyvault secret set --name $functionName'webappstorage' --vault-name $vaultname --value $appsetting
Note:
In the above PowerShell we have pulled existing app setting AzureWebJobStorage created a secret in the keyvault. would suggest you change the $appsettings block with the respective functionapp appsetting to create a secret in keyvault.
Here is the sample output for reference:
Updated Answer:
Add the below code to above PowerShell script which will pull the service bus connection string app setting of functionapp & will store connection string value as secret in key vault.
$servucebusappsetting=az functionapp config appsettings list --name $functionName --resource-group $resourceGroup --query "[?name=='azfapsb_RootManageSharedAccessKey_SERVICEBUS'].{Value:value}" -o tsv ##app setting of service connection string will be in the format (<servicebusName>_RootManageSharedAccessKey_SERVICEBUS)
az keyvault secret set --name $functionName'ServiceBusConnectionString' --vault-name $vaultname --value $servucebusappsetting
I am creating azure function connecting to to execute PnP commands. I have created certificate as mentioned in the docs. I am always getting Cannot find certificate with this thumbprint in the certificate store.Exception :Type
Why this error is happening? Any settings need to be modified?
Regarding the issue, please refer to the following steps
Create the self signed certificate
New-PnPAzureCertificate -OutPfx pnp.pfx -OutCert pnp.cer
Create Azure AD application
Configure permissions
Office 365 SharePoint Online (Application Permission)
Sites.FullControl.All
TermStore.ReadWrite.All
User.ReadWriteAll
Upload your client certificate(cer file) to the AD application
Create Function
Upload your pfx file to Azure function
az webapp config ssl upload --certificate-file "e:\cert\pnp.pfx" --name "<function app name>" --resource-group "" --certificate-password "" --query thumbprint --output tsv
Configure Function to allow the function to read the certificate
az functionapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
8 function code
Connect-PnPOnline -Tenant <>.onmicrosoft.com -ClientId <the appid of the ad application> -Thumbprint <comma-separated-certificate-thumbprints> -Url https://<>.sharepoint.com
I'm trying to run the sample script found here: https://learn.microsoft.com/en-au/azure/service-fabric/service-fabric-quickstart-containers-linux#create-a-service-fabric-cluster
#!/bin/bash
# Variables
ResourceGroupName='containertestcluster'
ClusterName='containertestcluster'
Location='eastus'
Password='q6D7nN%6ck#6'
Subject='containertestcluster.eastus.cloudapp.azure.com'
VaultName='containertestvault'
VmPassword='Mypa$$word!321'
VmUserName='sfadminuser'
# Login to Azure and set the subscription
az login
az account set --subscription <mySubscriptionID>
# Create resource group
az group create --name $ResourceGroupName --location $Location
# Create secure five node Linux cluster. Creates a key vault in a resource group
# and creates a certficate in the key vault. The certificate's subject name must match
# the domain that you use to access the Service Fabric cluster. The certificate is downloaded locally.
az sf cluster create --resource-group $ResourceGroupName --location $Location --certificate-output-folder . --certificate-password $Password --certificate-subject-name $Subject --cluster-name $ClusterName --cluster-size 5 --os UbuntuServer1604 --vault-name $VaultName --vault-resource-group $ResourceGroupName --vm-password $VmPassword --vm-user-name $VmUserName
From the command prompt or PowerShell, I run "az login" and login, then I copy & paste this script into the console but get errors when it comes to the variables.
I see you use the Shell script, it's more appropriate to run in Linux. For Windows, the PowerShell script is more suitable. And in Windows, the variables need to be set like this:
$varName = 'xxxx'
So you need to change all the variables like above. And I suggest you change the script into a PowerShell script.
Trying to create a new azure eventgrid endpoint subscription based on the code in the Microsoft tutorial here errors:
az eventgrid event-subscription create --source-resource-id $topicid --name eventsubscriptionname --endpoint-type storagequeue --endpoint $queueid --expiration-date "2020-05-15"
Deployment failed. Correlation ID: xxxx. The attempt to validate the provided azure endpoint resource:xxxx failed.
The tutorial says to ensure the account has write access to the storage, which it does, I am the owner. All properties in the command have valid values and I am executing from the azure cli.
What could I be doing wrong?
That's weird... I tried on my side and I have the expected result using the following commands :
$resourcegroup="your resource group"
$storagename="your storage name"
$queuename="your queue name"
$topicname="your topic name"
$subscriptionname="your subscription name"
$storageid=az storage account show --name $storagename --resource-group $resourcegroup --query id --output tsv
$queueid="$storageid/queueservices/default/queues/$queuename"
$topicid=az eventgrid topic show --name $topicname -g $resourcegroup --query id --output tsv
az eventgrid event-subscription create --source-resource-id $topicid --name $subscriptionname --endpoint-type storagequeue --endpoint $queueid --expiration-date "2020-05-15"
I sued PowerShell version 5.1.18362.752 and AZ CLI version 2.5.1
I wrote the command:
az backup protection backup-now --resource-group Rsrgrp \
--vault-name CLIbkvault --container-name CLIcont \
--item-name MyItem --retain-until 29-02-2020 \
--backup-management-type AzureStorage
And I'm gettnig this error:
Item not found. Please provide a valid item_name.
I dont know which item name the error is referring to.
My guess this is the first time you try to backup the resource, is that so?
If so, you will need to first add the resource as protected to the backup vault, then the item name will be the name of the resource you are backing up.
Azure VM
az backup protection enable-for-vm --policy-name
--vm
[--disk-list-setting {exclude, include}]
[--diskslist]
[--ids]
[--resource-group]
[--subscription]
[--vault-name]
Azure File Share
az backup protection enable-for-azurefileshare --azure-file-share
--policy-name
--storage-account
[--ids]
[--resource-group]
[--subscription]
[--vault-name]
Azure Workload
az backup protection enable-for-azurewl --policy-name
--protectable-item-name
--protectable-item-type {HANAInstance, SAPHanaDatabase, SAPHanaSystem, SQLAG, SQLDatabase, SQLInstance}
--server-name
--workload-type {AzureFileShare, MSSQL, SAPHANA, SAPHanaDatabase, SQLDataBase, VM}
[--ids]
[--resource-group]
[--subscription]
[--vault-name]
https://learn.microsoft.com/en-us/cli/azure/backup/protection