API tools faq
paste
Advertisement
RJSN

AzureKeyVault

RJSN
Dec 14th, 2017
946
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 4.63 KB | None | 0 0
raw download clone embed print report
  1. $SubScriptionName = "MySubscription"
  2. Login-AzureRmAccount -SubscriptionName $SubScriptionName
  3.  
  4. $SubScriptionID = Get-AzureRMSubscription -SubscriptionName $SubScriptionName
  5. $SubScriptionID = $SubScriptionID.Id
  6. $keyVaultName = "MyKeyVault"
  7. $keyVaultResourceGroupName = "MyResourceGroup"
  8. $StorageAccountResourceGroup = "ResourceGroupWithMyStorageAccount"
  9. $StorageAccountName = "mystorageaccount01"
  10. $StorageAccountKey = "key1" # The name of the primary (key1) or secondary (key2) of the storage account, THIS IS CASE SENSITIVE
  11. $SASname1 = "blobsas1"
  12. $SASname2 = "blobsas2"
  13. $SecretName1 = "$StorageAccountName-$SASname1"
  14. $SecretName2 = "$StorageAccountName-$SASname2"
  15. $regenerationPeriod = New-TimeSpan -Days 1 # Key rotation # of days (minimum 1 day)
  16.  
  17.  
  18.  
  19. # Get a service principal, needs to be done once per vault
  20. $objectid = (Get-AzureRmADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093).Id
  21.  
  22. # Assign permissions to the Key Vault, needs to be done once per vault
  23. Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $keyVaultResourceGroupName -objectID $objectid -PermissionsToStorage all
  24.  
  25. # Assign permissions to the Storage Account (this will add a role under Access control (IAM) of the Storage Account)
  26. New-AzureRmRoleAssignment -ObjectId $objectid -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope "/subscriptions/$SubScriptionID/resourceGroups/$StorageAccountResourceGroup/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
  27.  
  28. # The account SAS provides access to the blob service with different permissions.
  29. Add-AzureKeyVaultManagedStorageAccount -VaultName $keyVaultName -Name $StorageAccountName -AccountResourceId "/subscriptions/$SubScriptionID/resourceGroups/$StorageAccountResourceGroup/providers/Microsoft.Storage/storageAccounts/$StorageAccountName" -ActiveKeyName $StorageAccountKey -DisableAutoRegenerateKey
  30.  
  31. # Key will be updated every day (minimum time is 1 day)
  32. $storageaccountid = "/subscriptions/$SubScriptionID/resourceGroups/$StorageAccountResourceGroup/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
  33. Add-AzureKeyVaultManagedStorageAccount -VaultName $keyVaultName -AccountResourceId $storageAccountId -AccountName "$StorageAccountName" -ActiveKeyName "$StorageAccountKey" -RegenerationPeriod $regenerationPeriod
  34.  
  35. # Create Managed Storage SAS definitions
  36. Set-AzureKeyVaultManagedStorageSasDefinition -Service Blob -ResourceType Container,Service -VaultName $keyVaultName -AccountName $StorageAccountName -Name $SASname1 -Protocol HttpsOnly -ValidityPeriod $regenerationPeriod -Permission Read,List
  37. Set-AzureKeyVaultManagedStorageSasDefinition -Service Blob -ResourceType Container,Service,Object -VaultName $keyVaultName -AccountName $StorageAccountName -Name $SASname2 -Protocol HttpsOnly -ValidityPeriod $regenerationPeriod -Permission Read,List,Write
  38.  
  39. # Get the SAS token from the Key vault
  40. $sasToken1 = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -SecretName $SecretName1).SecretValueText
  41. $sasToken2 = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -SecretName $SecretName2).SecretValueText
  42.  
  43. # Upload file using the key vault token, do not use quotes around the StorageAccountName
  44. # Make sure the files abc.txt and file.txt exist
  45. # Contains should exists, fails when they are not there
  46.  
  47. # This one one fails as it has no upload permissions (line 36)
  48. $context1 = New-AzureStorageContext -SasToken $sasToken1 -StorageAccountName $StorageAccountName
  49. Set-AzureStorageBlobContent -Container containertest1 -File "abc.txt"  -Context $context1 -Force
  50.  
  51. # This one succeeds, has upload permissions (line 37) until the key has been rotated (line 68) and a new token has been request (line 40)
  52. $context2 = New-AzureStorageContext -SasToken $sasToken2 -StorageAccountName $StorageAccountName
  53. Set-AzureStorageBlobContent -Container cont1-file "file.txt"  -Context $context2 -Force
  54.  
  55.  
  56.  
  57.  
  58. ########## Other Key Vault functionalities ##########
  59.  
  60. # Gets a Key Vault managed Azure Storage Accounts
  61. Get-AzureKeyVaultManagedStorageAccount -VaultName $keyVaultName
  62.  
  63. # Removes a Key Vault managed Azure Storage Account
  64. Remove-AzureKeyVaultManagedStorageAccount -AccountName $StorageAccountName -VaultName $keyVaultName -Force
  65.  
  66. # Update key manually, this will make the current token useless and a new token must be requested
  67. # Keyname is case sensitive
  68. Update-AzureKeyVaultManagedStorageAccountKey -VaultName $keyVaultName -AccountName $StorageAccountName -KeyName $StorageAccountKey -Force
  69.  
  70. # Remove the Azure Key Vault Secrets entry
  71. Remove-AzureKeyVaultManagedStorageSasDefinition -AccountName $StorageAccountName -Name $SASname1 -VaultName $keyVaultName -Force
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!