Access policies via groups on Azure Key Vault don't seem to work.
If I create a new key vault
New-AzureRmKeyVault -VaultName $vaultName
And check the keys (which there aren't any of currently)
Get-AzureKeyVaultKey -VaultName $vaultName
That works.
If I add access to a group that the current user is a member of
$group = (Get-AzureRmADGroup -SearchString 'All Developers')[0].Id
Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $group -PermissionsToKeys all -PermissionsToSecrets all
And remove direct access
Remove-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -UserPrincipalName $upn
The list operation now fails
Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
Get-AzureKeyVaultKey : Operation "list" is not allowed
How can I permission by group?
I discovered today that it works for users in permissioned group objects. Doesn't work for service principals in those groups.
In other words, if I authenticate using a client id and client secret, the associated service principal must have an access policy directly set on the key vault. If I permission a security group, a user in that group can in fact access the key vault. I guess this has something to do with how the JWT includes security groups in it with users, but not service principals...
The reason that adding an access policy to a group is that it isn't supported. If you look at the help for Set-AzureRmKeyVaultAccessPolicy there is this for ObjectId
-ObjectId <Guid>
Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.
Required? true
Position? named
Default value none
Accept pipeline input? true(ByPropertyName)
Accept wildcard characters? false
As you can see ObjectId only supports either Service principals or users.
This is reflected in the parameters of the source code for Set-AzureRmKeyVaultAccessPolicy and further up the chain the REST API when posting to
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}?api-version={api-version}
The payload contains the objectId parameter which is defined as
Specifies the object ID of a user or service principal in the Azure Active Directory tenant for the vault. The ID must be specified as a GUID.
I would imagine that this functionality will be added at some point in future, but at the moment it isn't possible.
This Access Denied / 403 Forbidden error can also happen when an app has made requests to a Key Vault before it was added to the Azure Active Directory Group.
Perhaps this has something to do with caching of service principal information on the App Service instance? I was unable to find documentation of this.
Solution: restart the App Service.
Related
Using powershell commands i want to reset the Service Principal client secret.
I followed the below steps from the article https://learn.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-5.8.0
but it didnot reset the password
Remove-AzADSpCredential -DisplayName ServicePrincipalName
$newCredential = New-AzADSpCredential -ServicePrincipalName ServicePrincipalName
can you tell what i am doing wrong. I just want to reset the secret and have new one
I executed the above command and then i went to the app registration of that service principal and there i went to certificates & secrets i see it has not createed new secret.
Using bash i am able to reset the password by executing the below command but i want it to be done using powershell command
az ad sp credential reset --name
I went to the app registration of that service principal and there I went to certificates & secrets I see it has not created new secret.
Well, actually the command New-AzADSpCredential did create a new secret for you.
Firstly, you need to know the relationship between App Registration(AD App) and Service principal, see Application and service principal objects in Azure Active Directory.
In short, the service principal is the local representation for the AD App in a specific tenant. When you create the secret for the service principal, it will not appear in the Certificates & secrets blade, you can just get it with Get-AzADSpCredential.
If you want to reset the secret that you can find in the portal, you need to reset the sceret for the AD App(i.e. App Registration) via Remove-AzADAppCredential and New-AzADAppCredential.
You could refer to the sample below, it resets a secret with value ce96a0ed-5ae8-4a5a-9b3c-630da9ea3023, it is valid for one year, you can find it in the portal.
$obj = (Get-AzADApplication -DisplayName joyappv2).ObjectId
Remove-AzADAppCredential -ObjectId $obj -Force
$azurePassword = ConvertTo-SecureString "ce96a0ed-5ae8-4a5a-9b3c-630da9ea3023" -AsPlainText -Force
$date = Get-Date
$newCredential = New-AzADAppCredential -ObjectId $obj -Password $azurePassword -StartDate $date -EndDate $date.AddYears(1)
Note: You could not get the secret value again after creating it, so please store it when creating.
I added two accounts through powershell from devops yaml pipeline:
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $obj1 -PermissionsToSecrets Set,Get -BypassObjectIdValidation
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $obj2 -PermissionsToSecrets Set,Get -BypassObjectIdValidation
$obj1 = ADF
$obj2 = Pipeline Application identity
Obj1(ADF) came in 'Application' section of the access policy of Key Vault
But Obj2 came in 'Unknown'section why?
Once Obj2 also came in 'Compound Identity' section .. not sure why
If you are adding an Access Policy to Key Vault for an AAD application/service principal, make sure to use the ObjectId of the service principal, which is a different ObjectId than that of the application. You can use Get-AzADServicePrincipal to retrieve the service principal and find its ObjectId.
I cannot add Microsoft.Azure.Cdn service principal to Key Vault access policies.
I have run the following command in PowerShell.
New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
I got the following result.
Secret: System.Security.SecureString
ServicePrincipalNames : {xxxxxx-xxxx-xxxx-xxxx-xxxxxxx,
https://microsoft.onmicrosoft.com/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyy}
ApplicationId: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
DisplayName: Microsoft.Azure.Cdn
Id: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzz
AdfsId:
Type: ServicePrincipal
Then I went to the Access Policies of the Key Vault to add the principal there but I can't find it in the list.
Update
When I try to add it I get this result.
But when I do the following that was suggested in a comment:
"First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing."
Then I get no result.
First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing.
In the Add access policy page, search for the Id in your result(i.e. the Object ID of the SP), it should work.
Or you could use Set-AzureRmKeyVaultAccessPolicy to add a service principal to the access policy, the -ObjectId is the Id in your result.
Sample:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
Update:
Follow the steps as below.
Navigate to your keyvault in the portal -> copy the Directory ID and Subscription ID.
Login with Connect-AzureRmAccount -TenantId "<Directory ID>" -Subscription "<Subscription ID>", use the two properties above.
If you already logged in, just use Set-AzureRmContext -Tenant "<Directory ID>" -SubscriptionId "<Subscription ID>".
Then use the New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx" to create the service principal, when you create it successfully, navigate to the access polices in your keyvault to try to add it again.
Another way to solve this problem is by using the Azure CLI.
First check you are working with the right subscription by following below steps:
Login to Azure
az login
Get a list of your subscriptions
az account list --output table
Set a subscription from the list to be the current active one
az account set --subscription "<SUBSCRIPTION_NAME>"
Now copy the Service Principal ID shown in the blue box when you enable the "Custom Domain HTTPS" option
Create the Service Principal using that id
az ad sp create --id "d4631ece-daab-479b-be77-ccb713491fc0"
Go to your "KeyVault/Access Policies" and Add a new Access Policy
Grant "Get" and "List" permissions for the "Secret" and Select the Principal recently created
Do not forget to save your changes
You are done! You can now enable your "Custom Domain HTTPS" option and use your KeyVault.
I am trying to add a Keyvault with PowerShell. I am always getting below two warnings while creating this. Though the vault is getting created successfully but, but want to understand how can I elminiate this warnings?
New-AzKeyVault -VaultName "kvxxxxxxxxxxx" `
-ResourceGroupName "RG-xxxx" -Location "South Central US"
WARNING: The provided information does not map to an AD object id.
WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.
I can reproduce your issue on my side. The two WARNINGs were caused by your account is a Personal Account/Microsoft account(e.g. outlook, hotmail account) in your Azure AD tenant, your user type is Guest.
Actually you can just ignore them, or use the -WarningAction Ignore parameter as mentioned in the comment.
When using a work account/member user type to create a keyvault, it will add the account which used to create the keyvault to the access policy of the keyvault automatically. In your case, you could use the command Set-AzKeyVaultAccessPolicy to set the access policy after creating the keyvault.
I am calling powershell script to add ADF into key vaults access policies using the following command
If I grant it through portal UI, it works. What could be wrong with the following code or should i use different Api?
$Id = (Get-AzureRmDataFactoryV2 -ResourceGroupName $ResourceGroupName -Name $DataFactoryName).Identity.PrincipalId
Write-Host "Add permissions to key vault"
Set-AzureRmKeyVaultAccessPolicy -VaultName $AKVName -ObjectId $Id -PermissionsToSecrets Get,Set
I get this Error:Set-AzureRmKeyVaultAccessPolicy : 'AccessPolicies' exceeds maximum item count of '16'.
It should add permission to ADF for the given key vault
Thanks
I found my answer in the below post
https://social.msdn.microsoft.com/Forums/azure/en-US/ee3ec74a-3103-4795-92fb-ee5ec5298d38/add-key-vault-access-policy-using-power-shell-does-not-work?forum=AzureKeyVault