Need to fetch logic app primary and secondary access keys and store them in a variable in powershell cmdlet ,the requirement is to then update the key vault secret already holding the old versions of the access keys for that logic app and also is there a way to regenerate access keys with cmdlet
As far as I know, it is not possible to fetch the keys either through Portal or PowerShell, or CLI. If you are looking specifically to create a URL you can go with the below and this document also speaks about callback URl.
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal#generate-shared-access-signatures-sas
Related
I have to get the history of changes of the key in an Azure KeyVault, like updated expiry date via keyUpdate operation, for example.
Is there any way to get those changes? Are the KeyVault changes even stored by Azure?
Checked the resourcechanges table trough the ResourceGraphManager from the SDK and UI and there are no KeyVault entries at all.
Thanks.
Use the Azure CLI,
List of Key Vault keys will return the details of your keys.
If you want to see the versions of a key using it's ID fetched from above, Show key versions
Then if you want to see it's attributes, show key's details
First make sure you know the name of the Key Vault, have performed an az login and set the subscription az account set -s SUBSCRIPTION_ID
I'm really new to Azure but trying to learn - so apologies if this is a daft question. I've started the free trial (which gives me some credit to start with), and I'm trying to create a key vault. If I specify "Vault access policy" under access policies, it works great and I'm able to create secrets. I'd like to use "Azure role-based access control" though instead. If I create a key vault using Azure role-based access control, I get a message when trying to create a new secret which says "The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective." I am logged into Azure as the Service Administrator, so I don't think it's a permissions issue. I have left it overnight, and it still displays the message, so I don't think it's a matter of not waiting long enough for role assignments to become effective. I have tried creating the key vault in different regions and get the same results. Note that this is happening when I create a key vault using Azure role-based access control from scratch (i.e. I am not changing it from one to the other or anything like that.) Does anyone know what I'm doing wrong?
Thanks for any help
Andrew
If you are creating the Key vault with RBAC role from scratch then Please assign Key vault Administrator to your name for creating/ managing the secrets, certificates and keys.
Steps:
Go to your Key vault after its created and then click on Access
Control (IAM):
Then click on Add Role assignment and then add Key vault
Administrator Role to your name:
After you review and assign the role , you will be successfully able
to create/manage the objects present inside the Key vault.
If you provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control, then you need to use a specific built-in role or a custom one with allowed operations on the Data plane.
You have the list of those aforementioned built-in roles in the official documentation for Key Vault RBAC permission model.
The role you have assigned most probably do not have access to Key Vault Data plane. You can find the whole list of operation providers at this link. See that there is a distinction between Actions which are actions at infrastructure level vs DataActions which are actions at the data level, what is inside your Key Vault. Most of roles do not have access to this.
I am looking to deploy Azure function by using Terraform, in the same way which is mentioned here in the Ms docs.
https://learn.microsoft.com/en-us/azure/azure-functions/deployment-zip-push
One of my need to store and Storage SAS key to Key Vault. I have seen some exmaple where we can below setting is used, but I can't use sas key without storing to Key Vault.
WEBSITE_RUN_FROM_ZIP = "https://${azurerm_storage_account.this.name}.blob.core.windows.net/${azurerm_storage_container.this.name}/${azurerm_storage_blob.this.name}${data.azurerm_storage_account_sas.this.sas}"
Any suggestion?
Thank you !
For this requirement, you can use the Key Vault reference to get the secrets to the Azure Function like this:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Or
#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
But this means only support system-assigned managed identities. So you need to enable the system-assigned managed identity and assign the right role of the Key Vault to it. Here is more details.
I am following directions here for learning the AzureKeyVault config settings
Key Vault Configuration Provider sample application (ASP.NET Core 2.x)
This sample illustrates the use of the Azure Key Vault Configuration
Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see
Key Vault Configuration Provider sample application (ASP.NET Core
1.x).
For more information on how the sample works, see the Azure Key Vault
configuration provider topic.
Using the sample
Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key
Vault.
Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the
PowerShell
Gallery,
the Azure Key Vault REST API, or the Azure
Portal. Secrets are created as either
Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the
configuration provider. You should use the Manual option to create
name-value pair secrets for use with the configuration provider.
Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used
to delimit a section from a subkey in ASP.NET Core
configuration, aren't allowed
in secret names. Therefore, two dashes are used and swapped for a
colon when the secrets are loaded into the app's configuration.
Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second
secret creates a secret value with a section and subkey in the secret
name:
SecretName: secret_value_1
Section--SecretName: secret_value_2
Register the sample app with Azure Active Directory.
Authorize the app to
access the key vault. When you use the
Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the
app to access the key vault, provide List and Get access to
secrets with -PermissionsToSecrets list,get.
Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.
Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. *
Non-hierarchical values: The value for SecretName is obtained with
config["SecretName"]. * Hierarchical values (sections): Use :
(colon) notation or the GetSection extension method. Use either of
these approaches to obtain the configuration value:
config["Section:SecretName"]
config.GetSection("Section")["SecretName"]
Okay so I have copied the name of my application into Azure Active Directory as an 'Enterprise Application'. And I have added 'Access policies' for 'get' and 'list' in Azure for my ADD object I just created. Yet I get this error in the program when attempting to start the application:
Exception: {"error":"unauthorized_client","error_description":"AADSTS70001:
Application with identifier '(guid)' was not found in the directory ...(continues)
Update 8-4-18
Okay I found out that Azure uses the 'ClientId' and 'ClientSecret' in the local appsettings.json to connect to what Azure registers in this tutorial: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application
I get the clientId in appsettings.json from the applicationId on ADD I create with ADD>App Registrations>New
I click settings in ADD on the app I just created and create a key with an expiration to store as ClientSecret in appsettings.json.
I change my 'Vault' in appsettings to my named vault.
I run the powershell above to give access or else do it in ADD.
So now I am getting a simpler error:
'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''
I have tried running as Administrator in Visual Studio. I went under Subscriptions in Azure>Access Control>(IAM)>set my new apps to Reader.
So the reason your powershell is failing is because you are trying to assign a User Principal - a user - when actually you want a Service Principal.
I can’t see your C# to support more there than saying when you use the SDK to log in as the Service Principal you use the application id of the Application/Service Principal (its the same id).
The service principal acts like a user in the local directory but you log in as the application.
Edit:
I looked at the example you posted and ran it myself and had very similar problems. However I have got it working. Here's the steps:
Creating the Application
Create the Registered Application. I do this through the Azure Portal so
a Service Principal is created automatically. Make a note of the ApplicationId.
Generate a key credential on the created application and make a note of it.
In the Application click on the link to the Managed app in local directory. This is the Service Principal, make a note of the ObjectId
Creating the Key Vault
Create KeyVault - I used PowerShell to do this. New-AzureRmKeyVault
Apply the Service Principal to the Key Vault.
Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List
Running the Sample App
In your application settings follow this format:
{
"Vault": <the name of your vault>,
"ClientId": <ApplicationId of the Registered Application>,
"ClientSecret": <Credential generated from the Registered Application>
}
This worked for me and allowed me to run the sample and retrieve the secrets from the vault.
The ultimate problem for me became that running 'Set-AzureRmKeyVaultAccessPolicy' was not needed and for whatever reason it was easier to just ignore it and follow this subsection: https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize
I kept trying to set up Object Id and Keys and really I had just overlooked a section mentioning a 'ServerPrincipalName'
They set one commandlet for keys
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign
They set one commandlet for secrets
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List
But I decided to follow the immediate proceeding section on doing it all in the Portal. The key take away for me was that the instructions were not wrong. Just vague when it says: "Register a sample app" then "Authorize the App". Really they should be saying
Register a sample app (https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register)
Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)
Ultimately all the information is there it was just confusing if you happen to already have a vault and an application and don't understand the prerequisite is that really you need to have a 1. A Vault, 2. An ADD Web Application, 3. Associate permissions for 2 in 1.
Is it possible to create a Key Vault in Azure via c#? I'm able to manipulate secrets and keys via the KeyVaultClient but I need to
A). See if a key vault already exists and
B). Create a key vault if it doesn't exist.
Yes, you can use the KeyVault management client to list where a key vault exists in an Azure subscription and create the KeyVault if necessary. There is C# SDK for these operations which are against Azure Resource Manager.
https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.keyvault.vaultsoperationsextensions?view=azure-dotnet