I added two accounts through powershell from devops yaml pipeline:
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $obj1 -PermissionsToSecrets Set,Get -BypassObjectIdValidation
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $obj2 -PermissionsToSecrets Set,Get -BypassObjectIdValidation
$obj1 = ADF
$obj2 = Pipeline Application identity
Obj1(ADF) came in 'Application' section of the access policy of Key Vault
But Obj2 came in 'Unknown'section why?
Once Obj2 also came in 'Compound Identity' section .. not sure why
If you are adding an Access Policy to Key Vault for an AAD application/service principal, make sure to use the ObjectId of the service principal, which is a different ObjectId than that of the application. You can use Get-AzADServicePrincipal to retrieve the service principal and find its ObjectId.
Related
when we create an azure ad app registration from the azure portal the service principal is automatically created, and given a contributors role, how do we achieve the same using PowerShell ?
I tried running the following the command the app is created but no service principal is created, and there are no parameters for configuring a service principle
New-AzADApplication -DisplayName "NewApplication" -HomePage "http://www.microsoft.com" -IdentifierUris "http://NewApplication"
what i am looking for is to create the following using powershell, is this possible ?
AzureADAppregistration + ServicePrincipal
Create and get the client secret
Thanks
Try this:
#set your secret here.
$secretTextValue = "abcdefg1234567890"
$secret = ConvertTo-SecureString -String $secretTextValue -AsPlainText
$app = New-AzADApplication -DisplayName "NewApplication" -HomePage "http://www.microsoft.com" -IdentifierUris "http://NewApplication"
New-AzADAppCredential -ObjectId $app.ObjectId -Password $secret -EndDate (Get-Date).AddMonths(6)
#azure will assign contributor role of current subscription to this SP
New-AzADServicePrincipal -ApplicationId $app.ApplicationId
Result:
I have an Azure PowerShell task in my pipeline, in which I need to import a certificate to a key vault. Before doing that, I need to assign Import certificate permission to the current service principal. However, this service principal might already have existing certificate permissions (e.g. Get, List) from other tasks in this or other pipelines. If I use Set-AzKeyVaultAccessPolicy, it will remove these other permissions. Is there a way of preserving these permissions, and just adding some new ones?
$spId = (Get-AzContext).Account.Id;
Set-AzKeyVaultAccessPolicy -VaultName $kv -ServicePrincipalName $spId -PermissionsToCertificates Import
Import-AzKeyVaultCertificate -VaultName $kv …
There is no direct way to add the new permission, your option is to get the old permissions as a list, add the new permission to it, then set all the permissions again.
The sample works for me:
$spId = (Get-AzContext).Account.Id
$objectid = (Get-AzADServicePrincipal -ApplicationId $spId).Id
$kv = Get-AzKeyVault -ResourceGroupName <group-name> -VaultName joykeyvault
$cerpermission = ($kv.AccessPolicies | Where-Object {$_.ObjectId -eq $objectid}).PermissionsToCertificates
$cerpermission += "Import"
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $objectid -BypassObjectIdValidation -PermissionsToCertificates $cerpermission
Note: The parameters in the last line is important, if your service principal used in the devops service connection does not have the permission to list service principals in your AAD tenant, please use -ObjectId $objectid -BypassObjectIdValidation instead of -ServicePrincipalName $spId, otherwise you will get an error.
I cannot add Microsoft.Azure.Cdn service principal to Key Vault access policies.
I have run the following command in PowerShell.
New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
I got the following result.
Secret: System.Security.SecureString
ServicePrincipalNames : {xxxxxx-xxxx-xxxx-xxxx-xxxxxxx,
https://microsoft.onmicrosoft.com/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyy}
ApplicationId: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
DisplayName: Microsoft.Azure.Cdn
Id: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzz
AdfsId:
Type: ServicePrincipal
Then I went to the Access Policies of the Key Vault to add the principal there but I can't find it in the list.
Update
When I try to add it I get this result.
But when I do the following that was suggested in a comment:
"First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing."
Then I get no result.
First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing.
In the Add access policy page, search for the Id in your result(i.e. the Object ID of the SP), it should work.
Or you could use Set-AzureRmKeyVaultAccessPolicy to add a service principal to the access policy, the -ObjectId is the Id in your result.
Sample:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
Update:
Follow the steps as below.
Navigate to your keyvault in the portal -> copy the Directory ID and Subscription ID.
Login with Connect-AzureRmAccount -TenantId "<Directory ID>" -Subscription "<Subscription ID>", use the two properties above.
If you already logged in, just use Set-AzureRmContext -Tenant "<Directory ID>" -SubscriptionId "<Subscription ID>".
Then use the New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx" to create the service principal, when you create it successfully, navigate to the access polices in your keyvault to try to add it again.
Another way to solve this problem is by using the Azure CLI.
First check you are working with the right subscription by following below steps:
Login to Azure
az login
Get a list of your subscriptions
az account list --output table
Set a subscription from the list to be the current active one
az account set --subscription "<SUBSCRIPTION_NAME>"
Now copy the Service Principal ID shown in the blue box when you enable the "Custom Domain HTTPS" option
Create the Service Principal using that id
az ad sp create --id "d4631ece-daab-479b-be77-ccb713491fc0"
Go to your "KeyVault/Access Policies" and Add a new Access Policy
Grant "Get" and "List" permissions for the "Secret" and Select the Principal recently created
Do not forget to save your changes
You are done! You can now enable your "Custom Domain HTTPS" option and use your KeyVault.
I am looking for an example of using a certificate to authenticate to the keyvault, and then get a secret -- all in PowerShell (already have operational C#).
Have an app in AD for accessing Keyvault.
First, make sure your AD App(service principal) has the correct permission in your keyvault -> Access policies, in your case, it should be Get and List secret permissions.
Then get values for signing in and try the command as below.
Connect-AzAccount -CertificateThumbprint "<certificate Thumbprint>" -ApplicationId "<AD App applicationid(clientid)>" -Tenant "<tenant id>" -ServicePrincipal
Get-AzKeyVaultSecret -VaultName "<keyvault name>" -Name "<secret name>" -Version "<secret version>" | ConvertTo-Json
Access policies via groups on Azure Key Vault don't seem to work.
If I create a new key vault
New-AzureRmKeyVault -VaultName $vaultName
And check the keys (which there aren't any of currently)
Get-AzureKeyVaultKey -VaultName $vaultName
That works.
If I add access to a group that the current user is a member of
$group = (Get-AzureRmADGroup -SearchString 'All Developers')[0].Id
Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $group -PermissionsToKeys all -PermissionsToSecrets all
And remove direct access
Remove-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -UserPrincipalName $upn
The list operation now fails
Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
Get-AzureKeyVaultKey : Operation "list" is not allowed
How can I permission by group?
I discovered today that it works for users in permissioned group objects. Doesn't work for service principals in those groups.
In other words, if I authenticate using a client id and client secret, the associated service principal must have an access policy directly set on the key vault. If I permission a security group, a user in that group can in fact access the key vault. I guess this has something to do with how the JWT includes security groups in it with users, but not service principals...
The reason that adding an access policy to a group is that it isn't supported. If you look at the help for Set-AzureRmKeyVaultAccessPolicy there is this for ObjectId
-ObjectId <Guid>
Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.
Required? true
Position? named
Default value none
Accept pipeline input? true(ByPropertyName)
Accept wildcard characters? false
As you can see ObjectId only supports either Service principals or users.
This is reflected in the parameters of the source code for Set-AzureRmKeyVaultAccessPolicy and further up the chain the REST API when posting to
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}?api-version={api-version}
The payload contains the objectId parameter which is defined as
Specifies the object ID of a user or service principal in the Azure Active Directory tenant for the vault. The ID must be specified as a GUID.
I would imagine that this functionality will be added at some point in future, but at the moment it isn't possible.
This Access Denied / 403 Forbidden error can also happen when an app has made requests to a Key Vault before it was added to the Azure Active Directory Group.
Perhaps this has something to do with caching of service principal information on the App Service instance? I was unable to find documentation of this.
Solution: restart the App Service.