While trying to give access policy (Azure key vault) to my Azure data factory through PowerShell, I am getting error below:
Set-AzKeyVaultAccessPolicy : Operation returned an invalid status code
'BadRequest' At line:64 char:1
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipal ...
+ CategoryInfo : CloseError: (:) [Set-AzKeyVaultAccessPolicy], Gr aphErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVau ltAccessPolicy
Any help would be really appreciated. Thanks in advance.
This is the script I am trying to execute:
## select subcription
$subcription='Visual Studio Enterprise – MPN'
Select-AzSubscription $subcription
## create a new resource group
$resourcegroupname=”gho-rg-dev”
$location="eastus"
$rg=New-AzResourceGroup `
-Name $resourcegroupname `
-Location $location
## create the storage account
$storageAccountName = "ghostoragelab"
$skuName = "Standard_LRS"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourcegroupname `
-Name $storageAccountName `
-Location $location `
-SkuName $skuName
$storageaccountkey=(Get-AzStorageAccountkey -ResourceGroupName $resourcegroupname -Name $storageAccount.StorageAccountName).Value[0]
##create azure data factory
$datafactoryname='lab-factory-dev'
$df= New-AzDataFactoryV2 `
-ResourceGroupName $resourcegroupname -Name $datafactoryname -Location $location
## creating the azure key vault
$keyvaultname="labkeydev"
$keyvault=New-AzKeyVault -ResourceGroupName $resourcegroupname -Name $keyvaultname `
-Location $location
# creating the secret key in keyvault
Set-AzKeyVaultSecret -VaultName $keyvaultname -Name "secret-access-key"`
-SecretValue(ConvertTo-SecureString -String $storageaccountkey -AsPlainText -Force)
#Give access policy to the datafactory thorugh keyvault
*## this is where script is failing*
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipalName $df.DataFactoryId -PermissionsToSecrets Get
I suppose you want to add the MSI (Managed Service Identity) of the Data Factory to the Access policies of your keyvault.
You got the error because you used the -ServicePrincipalName $df.DataFactoryId in this
command Set-AzKeyVaultAccessPolicy, the $df.DataFactoryId is the resource id of the data factory, what you need is the Application ID(Client ID) of the MSI.
So if you want to use -ServicePrincipalName parameter, your command should be:
$appId = (Get-AzADServicePrincipal -ObjectId $df.Identity.PrincipalId).ApplicationId
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ServicePrincipalName $appId -PermissionsToSecrets get
The command above needs the permission to get service principal in your Azure AD. If you don't have this permission, you could use the command (I recommend you to use this one):
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $df.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
If your data factory has already been created, you could use Get-AzDataFactoryV2 to get it, then add it to the access policies.
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
Related
I'm following an educative course, where i need to put the webhook in the Azure Key Vault.
When i run below on powershell
New-AzKeyVault -Name "dev-avm-kvz" -ResourceGroupName "shared-rg" -Location "westeurope"
Set-AzKeyVaultAccessPolicy -VaultName "dev-avm-kvz" -UserPrincipalName "sxndgmail.onmicrosoft.com" -PermissionsToSecrets get,set,delete
$secretvalue = ConvertTo-SecureString "https://8xe2c-bd3dc2a.webhook.we.azure-automation.net/webhooks?token=i%2bcs1ZY" -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName "dev-avm-kvz" -Name "db-new-vm-webhook" -SecretValue $secretvalue
The first line succeeds with a new vault created.
But the Set-AzKeyVaultAccessPolicy errors out as below -
here's the educative instructions im referring to ->
From their commands, i have changed principal name, vault name a little and my webhook URI
I have reproduced in my environment, and I got expected results as below and I followed Microsoft-Document:
Firstly, I have created a key Vault using the below PowerShell commands:
$ResourceGroupName ="XX"
$Location="North Europe"
$KeyVaultName="siliconvault"
New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $ResourceGroupName `
-Location $Location -SoftDeleteRetentionInDays 7
Then, I have assigned access policy to the UPN and followed Microsoft-Document:
Set-AzKeyVaultAccessPolicy -VaultName siliconvault -UserPrincipalName 'XXk_outesaioutlook.onmicrosoft.com `
-PermissionsToSecrets Get,Set,List
You can find the UPN of the user by visiting > Azure Active Directory in your Azure Portal > Left Pane > Users > Click on the desired User and Copy the UPN.
Then i have used below commands to add secrets of web uri:
$SecretVault=ConvertTo-SecureString "https://a.webhook.we.azure-automation.net/webhooks?token=i%2" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName siliconvault -Name "webhookuri" -SecretValue $SecretVault
Outputs:
Access Policy is assigned to the UPN successfully as below:
Then you can see the secret is added as below:
Inside the secret your secret value is stored.
I have setup a Shared Image Gallery and added a VM image to it. I can provision a new VM in my subscription from it. A friend wants to use that same image to provision the same VM in his subscription, a totally different Azure account. He has added me temporarily as an owner to his subscription and I can change directory from my azure portal to access and work with it no problem.
When I try to create a VM, I can't find the gallery in my subscription/account from his subscription (a totally different Azure account).
I have tried making an application registration and even added permissions for the application in his subscription too (contributor). Still can't see it.
Is this possible at all or am I doing something wrong?
thank you much
At the moment, we have no way to use the portal to deploy a VM from an image in another azure tenant. To create a VM from an image shared between tenants, you must use the Azure CLI or Powershell. For more details, please refer to here
For example
create a service principal in the tenant 1
Give Tenant 2 access
a. Register the sp into tenant 2
we can implement it by requesting a sign-in using a browser
https://login.microsoftonline.com/<Tenant 2 ID>/oauth2/authorize?client_id=<Application (client) ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
b. Assign Azure RABC role Contributor to the sp
Create VM
a. Log into both tenants using the application ID, secret and tenant ID.
$applicationId = '<App ID>'
$secret = <Secret> | ConvertTo-SecureString -AsPlainText -Force
$tenant1 = "<Tenant 1 ID>"
$tenant2 = "<Tenant 2 ID>"
$cred = New-Object -TypeName PSCredential -ArgumentList $applicationId, $secret
Clear-AzContext
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant1
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant2
b. Create VM
$resourceGroup = ""
$location = ""
$vmName = ""
# Set a variable for the image version in Tenant 1 using the full image ID of the shared image version
$image = "/subscriptions/<Tenant 1 subscription>/resourceGroups/<Resource group>/providers/Microsoft.Compute/galleries/<Gallery>/images/<Image definition>/versions/<version>"
# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."
# Create a resource group
New-AzResourceGroup -Name $resourceGroup -Location $location
# Networking pieces
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix 192.168.1.0/24
$vnet = New-AzVirtualNetwork -ResourceGroupName $resourceGroup -Location $location `
-Name MYvNET -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig
$pip = New-AzPublicIpAddress -ResourceGroupName $resourceGroup -Location $location `
-Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP -Protocol Tcp `
-Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 3389 -Access Allow
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location $location `
-Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP
$nic = New-AzNetworkInterface -Name myNic -ResourceGroupName $resourceGroup -Location $location `
-SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id
# Create a virtual machine configuration using the $image variable to specify the shared image
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize Standard_D1_v2 | `
Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
Set-AzVMSourceImage -Id $image | `
Add-AzVMNetworkInterface -Id $nic.Id
# Create a virtual machine
New-AzVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig
In Azure Key Vault policies I wanted to add ADF.
Given below is the command(executed from pipeline). But after creation it is showing as 'compound identity' with an 'on behalf of' text and it is not working. When I manually add ADF to policies it shows as 'application' and it works. How can I make the powershell create 'Application' identity?
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -PermissionsToSecrets get -ApplicationId $appId -ObjectId $objectId
Full script
$rgName='myRG'
$storageAccountName='MyStorage'
$secretName='myKey'
$keyVaultName='myKv'
$adfName='myADF'
Write-Host "Adding data lake storage Key to key vault"
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $rgName -Name $storageAccountName).Value[0]
$secretVal = ConvertTo-SecureString -String $storageAccountKey -AsPlainText -Force
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -PermissionsToSecrets get -ApplicationId $appId -ObjectId $objectId
Write-Host "completed adding key"
Write-Host "Adding access policy to key vault"
$objectId=(Get-AzureRmDataFactoryV2 -ResourceGroupName $rgName -Name $adfName).Identity.PrincipalId
$appId = (Get-AzureRmADServicePrincipal -ObjectId $objectId).ApplicationId
Wrong command was given. Given below is the correct. Explained in 'Example 2: Grant permissions for an application service principal to read and write secrets'
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $appId -PermissionsToSecrets Get
As part of Powershell script I am provisioning FunctionApp and KeyVault. Script also enables the MSI on function app. I need to add access policy on keyvault for the functionApp. How can I add this access policy? I could not find an example to do this on MSDN.
New-AzResource -ResourceType 'Microsoft.Web/Sites' -ResourceName $FuncAppName -Kind 'functionapp' -Location $defaultRegion -ResourceGroupName $defaultRG -Properties #{ } -Force
set-AzWebApp -ResourceGroupName $defaultRG -AssignIdentity $true -Name $FuncAppName -HttpsOnly $true | Out-Null
$KeyVault = New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $defaultRG -Location $defaultRegion
Set-AzKeyVaultAccessPolicy -VaultName $KeyVault.VaultName -UserPrincipalName $settingsServiceAccountName -PermissionsToSecrets set, get -PassThru | Out-Null
I am able to add a user principle but am not aware how to add a function app.
You could use the -ObjectId parameter, it is the object id of your MSI.
Set-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
To get the object id of the MSI, use the command as below. Make sure you have
already enabled the MSI.
$objectid = (Get-AzWebApp -ResourceGroupName <ResourceGroupName> -Name <functionname>).Identity.PrincipalId
I am trying to crete a "secret value" using Azure Key Vault. I am following a tutorial from Microsoft located here ... https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/
I was able to create a Key Vault using ...
New-AzureRmKeyVault -VaultName 'MyKeyVaultName' -ResourceGroupName 'MyResourceGroup' -Location 'West US'
I can also verify it was created by using ...
Get-AzureRmKeyVault
I am able to create the secret value by using the following ...
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
However when I try to set the key ...
$secret = Set-AzureKeyVaultSecret -VaultName 'MyKeyVaultName' -Name 'SQLPassword' -SecretValue $secretvalue
I get an error that says
Set-AzureKeyVaultSecret : Operation "set" is not allowed
I thought that I had gained all access to the Key Vault by creating it? Do I need to add specific permissions?
Here is a screen capture of the error from powershell
Likely a permissions issue. Try the following:
Set-AzureRmKeyVaultAccessPolicy –VaultName ‘{your vault name}’ –UserPrincipalName ‘{your account email}’ –PermissionsToKeys all –PermissionsToSecrets all
The problem you are having is that you are not creating a key to attach a secret to, You need to call Add-AzureKeyVaultKey to create that key. Like this...
$vault = Get-AzureRmKeyVault
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' `
-AsPlainText -Force
$key = Add-AzureKeyVaultKey -VaultName $vault.VaultName `
-Name Test01 `
-Destination Software
(Get-AzureKeyVaultSecret -VaultName $vault.VaultName `
-Name test01).SecretValueText
which returns
Pa$$w0rd