How to import key vault access policies?
Trying to import multiple access policies into multiple key vaults in a Azure subscription.
I was able to get an export and populate to CSV exactly what I needed.
Problem I am having is on the import-csv foreach-object. Because Key vault requires comma separated values on the permissions keys, secrets and certificate it will not work with my command as its looking for a single variable.
Example. -PermissionsToKeys All,Get,Update
My PowerShell command.
Import-Csv -Path "C:\temp\kv-policies.csv" | ForEach-Object {
Set-AzKeyVaultAccessPolicy -VaultName $_.KeyVaultName -UserPrincipalName $_.UPN -PermissionsToCertificates $_.PermissionsToCertificatesStr -PermissionsToKeys $_.PermissionsToKeysStr -PermissionsToSecrets $_.PermissionsToSecretsStr}
Error
Set-AzKeyVaultAccessPolicy : Cannot validate argument on parameter 'PermissionsToCertificates'. The argument "string Substring(int startIndex), string Substring(int startIndex, int length)" does not belong to the set "all,get,list,delet e,create,import,update,managecontacts,getissuers,listissuers,setissuers,deleteissuers,manageissuers,recover,purge,backu p,restore" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again. At line:2 char:112
- ... sionsToCertificates $_.PermissionsToCertificatesStr.Substring -Permis ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : InvalidData: (:) [Set-AzKeyVaultAccessPolicy], ParameterBindingValidationException
- FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAcces sPolicy
I tried testing your scenario but as we are doing for multiple users and multiple permissions it’s a limitation to use Powershell to update the access policy . So, its recommended to use ARM template to assign multiple policies.
If its multiple users and single permission then you can use your Powershell script .
Step1: For adding Multiple access policies for users you will need to get the objectID for the users present in azure ad .
You can use use the CLI command :
az ad user show --id "upn" --query "objectId"
Step 2: Then you can use the below Template to add multiple access policies to a Keyvault .
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN1ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"UnwrapKey",
"WrapKey"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN2ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Import",
"Update",
"Create"
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN3ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
]
}
}
]
}
Step 4: Now Connect-Azaccount in Powershell and execute the template using below command.
New-AzResourceGroupDeployment -ResourceGroupName "keyvaultresourcegroup" -TemplateFile kvpolicies.json
It will ask you the keyvault Name and after providing it you will have successfully added the access policies to the Keyvault.
Output:
Reference:
Create an Azure key vault and a vault access policy by using ARM template | Microsoft Docs