I am trying to crete a "secret value" using Azure Key Vault. I am following a tutorial from Microsoft located here ... https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/
I was able to create a Key Vault using ...
New-AzureRmKeyVault -VaultName 'MyKeyVaultName' -ResourceGroupName 'MyResourceGroup' -Location 'West US'
I can also verify it was created by using ...
Get-AzureRmKeyVault
I am able to create the secret value by using the following ...
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
However when I try to set the key ...
$secret = Set-AzureKeyVaultSecret -VaultName 'MyKeyVaultName' -Name 'SQLPassword' -SecretValue $secretvalue
I get an error that says
Set-AzureKeyVaultSecret : Operation "set" is not allowed
I thought that I had gained all access to the Key Vault by creating it? Do I need to add specific permissions?
Here is a screen capture of the error from powershell
Likely a permissions issue. Try the following:
Set-AzureRmKeyVaultAccessPolicy –VaultName ‘{your vault name}’ –UserPrincipalName ‘{your account email}’ –PermissionsToKeys all –PermissionsToSecrets all
The problem you are having is that you are not creating a key to attach a secret to, You need to call Add-AzureKeyVaultKey to create that key. Like this...
$vault = Get-AzureRmKeyVault
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' `
-AsPlainText -Force
$key = Add-AzureKeyVaultKey -VaultName $vault.VaultName `
-Name Test01 `
-Destination Software
(Get-AzureKeyVaultSecret -VaultName $vault.VaultName `
-Name test01).SecretValueText
which returns
Pa$$w0rd
Related
I'm following an educative course, where i need to put the webhook in the Azure Key Vault.
When i run below on powershell
New-AzKeyVault -Name "dev-avm-kvz" -ResourceGroupName "shared-rg" -Location "westeurope"
Set-AzKeyVaultAccessPolicy -VaultName "dev-avm-kvz" -UserPrincipalName "sxndgmail.onmicrosoft.com" -PermissionsToSecrets get,set,delete
$secretvalue = ConvertTo-SecureString "https://8xe2c-bd3dc2a.webhook.we.azure-automation.net/webhooks?token=i%2bcs1ZY" -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName "dev-avm-kvz" -Name "db-new-vm-webhook" -SecretValue $secretvalue
The first line succeeds with a new vault created.
But the Set-AzKeyVaultAccessPolicy errors out as below -
here's the educative instructions im referring to ->
From their commands, i have changed principal name, vault name a little and my webhook URI
I have reproduced in my environment, and I got expected results as below and I followed Microsoft-Document:
Firstly, I have created a key Vault using the below PowerShell commands:
$ResourceGroupName ="XX"
$Location="North Europe"
$KeyVaultName="siliconvault"
New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $ResourceGroupName `
-Location $Location -SoftDeleteRetentionInDays 7
Then, I have assigned access policy to the UPN and followed Microsoft-Document:
Set-AzKeyVaultAccessPolicy -VaultName siliconvault -UserPrincipalName 'XXk_outesaioutlook.onmicrosoft.com `
-PermissionsToSecrets Get,Set,List
You can find the UPN of the user by visiting > Azure Active Directory in your Azure Portal > Left Pane > Users > Click on the desired User and Copy the UPN.
Then i have used below commands to add secrets of web uri:
$SecretVault=ConvertTo-SecureString "https://a.webhook.we.azure-automation.net/webhooks?token=i%2" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName siliconvault -Name "webhookuri" -SecretValue $SecretVault
Outputs:
Access Policy is assigned to the UPN successfully as below:
Then you can see the secret is added as below:
Inside the secret your secret value is stored.
I need help on this scenario. we have a cert in azure key vault which needs to be download to a windows VM for our .net application to run on iis. I am able to upload the cert to Azure keyvault with out issues. I am running a azure devops powershell tasks inline powershell script.
it will connect to azure using conenct-azaccount with appropriate login creds.enter code here
we run invoke-azvmssruncommand and specific the script path and variable which needs to be passed as parameters.
in the PowerShell script we have script to get the cert from azure keyvualt once its connected to azure vm
below is the error
error: an error occurred while sending request. need your thoughts on it.
Invoke-AzVmssVMRunCommand -VMScaleSetName dev-CTUS -ResourceGroupName RG -InstanceId $instanceid -CommandId 'RunPowerShellScript'-ScriptPath "path"\downloadcertfromkeyvault.ps1" -Parameter #{"vaultname"= "keyvault name";"certname"="app-DEV";"password"= "jdksjkdjalksd";"said"="";"sapuserid"; password"="password";"devSubscriptionId"="ZXXXXXXXXXX"} -Debug
this is the command which i used in azure devops powershell inline script .
inside powershell script
$SecurePassword = "$sapassword" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $said, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant "XXXXXXXXXXXX-a68c-41e5-XXXXXXXX"
Write-log "setting subscription to retrive certs"
Set-AzContext $devSubscriptionId
$password = "$password"
$password = ConvertTo-SecureString -String "$password" -AsPlainText -Force
$cert = Get-AzKeyVaultCertificate -VaultName $vaultname -Name $certname
$secret = Get-AzKeyVaultSecret -VaultName $vaultname -Name $cert.Name
$pfxpath = [System.Environment]::GetFolderPath("Desktop")
$secretByte = [Convert]::FromBase64String($secret.SecretValueText)
$x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($secretByte, "", "Exportable,PersistKeySet")
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx
$pfxFileByte = $x509Cert.Export($type, $password)
# Write to a file
[System.IO.File]::WriteAllBytes("$pfxpath\$certname.pfx", $pfxFileByte)
$certificate= Get-ChildItem -path cert:\LocalMachine\My` `
Write-Log $certificate
While trying to give access policy (Azure key vault) to my Azure data factory through PowerShell, I am getting error below:
Set-AzKeyVaultAccessPolicy : Operation returned an invalid status code
'BadRequest' At line:64 char:1
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipal ...
+ CategoryInfo : CloseError: (:) [Set-AzKeyVaultAccessPolicy], Gr aphErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVau ltAccessPolicy
Any help would be really appreciated. Thanks in advance.
This is the script I am trying to execute:
## select subcription
$subcription='Visual Studio Enterprise – MPN'
Select-AzSubscription $subcription
## create a new resource group
$resourcegroupname=”gho-rg-dev”
$location="eastus"
$rg=New-AzResourceGroup `
-Name $resourcegroupname `
-Location $location
## create the storage account
$storageAccountName = "ghostoragelab"
$skuName = "Standard_LRS"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourcegroupname `
-Name $storageAccountName `
-Location $location `
-SkuName $skuName
$storageaccountkey=(Get-AzStorageAccountkey -ResourceGroupName $resourcegroupname -Name $storageAccount.StorageAccountName).Value[0]
##create azure data factory
$datafactoryname='lab-factory-dev'
$df= New-AzDataFactoryV2 `
-ResourceGroupName $resourcegroupname -Name $datafactoryname -Location $location
## creating the azure key vault
$keyvaultname="labkeydev"
$keyvault=New-AzKeyVault -ResourceGroupName $resourcegroupname -Name $keyvaultname `
-Location $location
# creating the secret key in keyvault
Set-AzKeyVaultSecret -VaultName $keyvaultname -Name "secret-access-key"`
-SecretValue(ConvertTo-SecureString -String $storageaccountkey -AsPlainText -Force)
#Give access policy to the datafactory thorugh keyvault
*## this is where script is failing*
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipalName $df.DataFactoryId -PermissionsToSecrets Get
I suppose you want to add the MSI (Managed Service Identity) of the Data Factory to the Access policies of your keyvault.
You got the error because you used the -ServicePrincipalName $df.DataFactoryId in this
command Set-AzKeyVaultAccessPolicy, the $df.DataFactoryId is the resource id of the data factory, what you need is the Application ID(Client ID) of the MSI.
So if you want to use -ServicePrincipalName parameter, your command should be:
$appId = (Get-AzADServicePrincipal -ObjectId $df.Identity.PrincipalId).ApplicationId
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ServicePrincipalName $appId -PermissionsToSecrets get
The command above needs the permission to get service principal in your Azure AD. If you don't have this permission, you could use the command (I recommend you to use this one):
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $df.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
If your data factory has already been created, you could use Get-AzDataFactoryV2 to get it, then add it to the access policies.
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
In Azure Key Vault policies I wanted to add ADF.
Given below is the command(executed from pipeline). But after creation it is showing as 'compound identity' with an 'on behalf of' text and it is not working. When I manually add ADF to policies it shows as 'application' and it works. How can I make the powershell create 'Application' identity?
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -PermissionsToSecrets get -ApplicationId $appId -ObjectId $objectId
Full script
$rgName='myRG'
$storageAccountName='MyStorage'
$secretName='myKey'
$keyVaultName='myKv'
$adfName='myADF'
Write-Host "Adding data lake storage Key to key vault"
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $rgName -Name $storageAccountName).Value[0]
$secretVal = ConvertTo-SecureString -String $storageAccountKey -AsPlainText -Force
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -PermissionsToSecrets get -ApplicationId $appId -ObjectId $objectId
Write-Host "completed adding key"
Write-Host "Adding access policy to key vault"
$objectId=(Get-AzureRmDataFactoryV2 -ResourceGroupName $rgName -Name $adfName).Identity.PrincipalId
$appId = (Get-AzureRmADServicePrincipal -ObjectId $objectId).ApplicationId
Wrong command was given. Given below is the correct. Explained in 'Example 2: Grant permissions for an application service principal to read and write secrets'
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $appId -PermissionsToSecrets Get
As part of Powershell script I am provisioning FunctionApp and KeyVault. Script also enables the MSI on function app. I need to add access policy on keyvault for the functionApp. How can I add this access policy? I could not find an example to do this on MSDN.
New-AzResource -ResourceType 'Microsoft.Web/Sites' -ResourceName $FuncAppName -Kind 'functionapp' -Location $defaultRegion -ResourceGroupName $defaultRG -Properties #{ } -Force
set-AzWebApp -ResourceGroupName $defaultRG -AssignIdentity $true -Name $FuncAppName -HttpsOnly $true | Out-Null
$KeyVault = New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $defaultRG -Location $defaultRegion
Set-AzKeyVaultAccessPolicy -VaultName $KeyVault.VaultName -UserPrincipalName $settingsServiceAccountName -PermissionsToSecrets set, get -PassThru | Out-Null
I am able to add a user principle but am not aware how to add a function app.
You could use the -ObjectId parameter, it is the object id of your MSI.
Set-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
To get the object id of the MSI, use the command as below. Make sure you have
already enabled the MSI.
$objectid = (Get-AzWebApp -ResourceGroupName <ResourceGroupName> -Name <functionname>).Identity.PrincipalId