I am trying to get Azure Storage's encryption status from command line or programatically but could not find any relevant cmdlet(https://learn.microsoft.com/en-us/powershell/module/azure.storage/get-azurestorageserviceproperty?view=azurermps-6.13.0).
I can check that manually from portal like this
is it avilable to check through any command line or we have to check only through portal ?
You could use the command below, make sure you have installed the Az module.
(Get-AzResource -ResourceGroupName <group-name> -ResourceType Microsoft.Storage/storageAccounts -Name <storageaccount-name>).Properties.encryption | ConvertTo-Json
If the Encryption type is Microsoft-managed keys, the keySource will be Microsoft.Storage.
If the Encryption type is Customer-managed keys, the keySource will be Microsoft.Keyvault, keyvaultproperties will include the properties of the keyvault key you configured.
You can make use of Get-AzStorageAccount PowerShell Cmdlet.
$props = Get-AzStorageAccount -ResourceGroupName "your-resource-group-name" -Name "storageaccount-name"
$keySource = $props.Encryption.KeySource
$keySource should tell you the encryption type used. In my case, it printed Microsoft.Storage
Related
I'm working on setting up an application getaway with a group of backend app services. I am in the final configuration steps of configuring a listener, but first I need to set Application Gateway to support key vault reference certificates. I follow this guide from the official Microsoft documentation: Key Vault Azure Role-Based Access Control Permissions Model
via azure powershell, but i get this series of errors. In the case of getAzApplicationGateway, I have already verified that the name in which my resource is located is correct. As for get-AzApplicationGateweyIdentity and Add-Az-ApplicationGatewaySslCertifacate, I get: Cannot bind argument to parameter 'ApplicationGateway' because it is null. I can't find the cause for this error, am I entering the wrong argument?
Your first command in the posted snippet "Get-AzApplicationGateway" doesn't find your gateway.
At least in the snipped provided you don't give -name and -ResourceGroupName as strings, meaning in " ".
Wenn I run your commands with strings where they are required it works just fine
When I ran the below command directly, I got the same error.
$appgw = Get-AzApplicationGateway -Name YourApplicationGatewayName -ResourceGroupName YourRGName
First, we need to create an Application Gateway.
Create a Managed Identity.
After creating the ApplicationGateway and ManagedIdentity, now run the below commands.
$appgw = Get-AzApplicationGateway -Name YourApplicationGatewayName -ResourceGroupName YourRGName
Set-AzApplicationGatewayIdentity -ApplicationGateway $appgw -UserAssignedIdentityId "/subscriptions/YourSubscriptionID/resourceGroups/YourRGName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyYourManagedIdentityName"
Create a KeyVault and certificate by following the steps from the document and run the below command to
$secret = Get-AzKeyVaultSecret -VaultName "YourKeyVaultName" -Name "YourCertificateName"
Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $secretId -ApplicationGateway $appgw -Name $secret.Name
Before running the below command make sure you have created the Access policy with Get selected on Secret permissions and provided the created Managed Identity.
Set-AzApplicationGateway -ApplicationGateway $appgw
I am trying to get the subscription keys for my products as well as default subscription key using cli. I have gone through the documentation https://learn.microsoft.com/en-us/cli/azure/apim/api?view=azure-cli-latest , but right now I don't see any commands to get me the subscription key.
While I can see there are powershell way of getting it, we run the tasks in ubuntu pipeline, and the commands listed below is not working in the linux agent. It says Set-AzContext is not a known command
$subscriptionId = "id"
$RG = "rg"
$service = "apim-name"
Set-AzContext -Subscription $subscriptionIdÂ
$apimContext = New-AzApiManagementContext -ResourceGroupName $RG -ServiceName $service
Get-AzApiManagementSubscriptionKey -Context $apimContext -SubscriptionId "master"
Update
I am able to fetch the details through powershell task for Azure in the DevOps pipeline. If there is no option in azure cli I will use this as a workaround.
Using az rest it is possible:
APIMID=`az apim show -n apimname -g resourcegroup --query id -o tsv`
az rest --method post --uri ${APIMID}/subscriptions/test-subscription/listSecrets?api-version=2021-08-01 --query primaryKey -o tsv
where test-subscription is the name of the subscription.
Currently it is not possible to fetch subscription key using AZ CLI commands. The PowerShell command used is the correct way to go. Just in case if it helps another way to get the subscription key is by using Management API call
I am trying to automate the creation of certain azure resources via an Azure PowerShell script that is triggered from an Azure DevOps release pipeline. I want to create a function app, and automatically integrate reading right access to secrets in an already existing Key Vault. This Key Vault is in the same Azure subscription.
While I can create most resources following the documentation, there seems to be a lack of documentation regarding the creation of certain resources using Azure PowerShell (or I can't find it).
If I follow the sample from this link, I can accomplish it without a problem by using the UI in the Azure Portal, but I can't find any documentation on Microsoft Docs to do it using PowerShell.
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name $functionAppName `
-ResourceGroupName $emailFunctionRg `
-Location "$(AzureRegion)" `
-StorageAccount $storageName `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
$appId = Get-AzADServicePrincipal -DisplayName $functionAppName
Set-AzKeyVaultAccessPolicy -VaultName EmailSettings -ServicePrincipalName $appId -PermissionsToSecrets Get,List
Write-Host "Key Vault access granted!"
Running Set-AzKeyVaultAccessPolicy fails with "Insufficient privileges to complete the operation.". But I am not sure if this is the right path to follow, it was just a guess, based on the available functions in the documentation.
Any ideas?
Two potential issues to check out here:
your app creation assigns the result to $fnApp. perhaps $fnApp or as commented above, $fnApp.ApplicationId is what you should be using for the -ServicePrincipalName parameter on the access policy grant.
you don't have privileges to assign RBAC roles. Go to the Key Vault, choose Access Control, then click the Role Assignments tab and verify that your user appears in the list as an Administrator, User Access Administrator, or Owner.
Edit: With respect to the RBAC privilege, since this is running in Azure Powershell from Azure DevOps, you need to check the role assignment for the Service Connection's service principal - under Azure Active Directory in the Azure Portal, look up the principal used to create the service connection, and make sure THAT gets the correct Role on the key vault.
After a little of trial and error I just came to the conclusion I was not using the right parameter for the Set-AzKeyVaultAccessPolicy cmdlet.
The following script will work (if the service principle running it has the appropriate role, like WaitingForGuacamole mentioned in his/her answer):
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name <FnAppName> `
-ResourceGroupName <ResourceGroupName> `
-Location <AzureRegion> `
-StorageAccount <StorageAccount> `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
Set-AzKeyVaultAccessPolicy -VaultName <NameOfTheKeyVault> -ObjectId (Get-AzADServicePrincipal -DisplayName <FnAppName>).Id -PermissionsToSecrets <Get, List, etc...>
Write-Host "Key Vault access granted!"
I'm a bit of an Azure & Powershell newbie.
I'm trying to write PowerShell scripts to create an environment that can be published to from Azure DevOps.
As part of that, I'm creating a Service Bus with multiple topics. Each of the topics will have multiple Authorization Rules - one for publication and one for subscription.
I have the scripts for this working. However, I need to get the connection strings for these rules and save them to a key vault, to make them available to apps.
This is where I have become stuck.
This is similar to my existing code:
New-AzServiceBusTopic -ResourceGroupName myResourceGroup -Namespace myServiceBus -EnablePartitioning $false -Name myTopic
New-AzServiceBusAuthorizationRule `
-ResourceGroupName myResourceGroup `
-Namespace myServiceBus `
-Topic myTopic`
-Name myTopic.pub `
-Rights #("Send")
In the Azure Portal, I would click into the Service bus and Topic, select Shared Access Policies and click on the policy. It would show me the SAS Policy with the Primary Connection String.
Is there any way in PowerShell to get the Primary Connection String?
Thanks
If you have azure powershell Az.ServiceBus module installed, you can directly use this command: Get-AzServiceBusKey.
For example:
Get-AzServiceBusKey -ResourceGroup Default-ServiceBus-WestUS -Namespace SB-Example1 -Name AuthoRule1
I have a logic App with Managed Identity enabled. For automation purposes, I need to use either Azure CLI or Powershell to grab the objectID of the Logic App Managed Identity to grant it access to a keyvault.
I have done the same for Azure Data Factory using a Poweshell command like this:
(Get-AzureRMDataFactoryV2 -ResourceGroupName $ResourceGroup -Name $DataFactoryName).Identity
Tried something similar for logic app but it does not return the identity.
Looks like the Workflow object returned by Get-AzLogicApp doesn't have the identity property defined.
A workaround would be to use the Get-AzResource cmdlet instead.
$ID = (Get-AzResource -Name myLogicApp -ResourceType Microsoft.Logic/workflows).Identity.PrincipalId
Based on the previous answer by Joey Cai, you can do the following in AZ CLI also:
$ID = az resource show --name "myLogicApp" --resource-group "myResourceGroup" --resource-type "Microsoft.Logic/workflows" --query "identity.principalId" | ConvertFrom-Json