Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $SubScriptionName = "MySubscription"
- Login-AzureRmAccount -SubscriptionName $SubScriptionName
- $SubScriptionID = Get-AzureRMSubscription -SubscriptionName $SubScriptionName
- $SubScriptionID = $SubScriptionID.Id
- $keyVaultName = "MyKeyVault"
- $keyVaultResourceGroupName = "MyResourceGroup"
- $StorageAccountResourceGroup = "ResourceGroupWithMyStorageAccount"
- $StorageAccountName = "mystorageaccount01"
- $StorageAccountKey = "key1" # The name of the primary (key1) or secondary (key2) of the storage account, THIS IS CASE SENSITIVE
- $SASname1 = "blobsas1"
- $SASname2 = "blobsas2"
- $SecretName1 = "$StorageAccountName-$SASname1"
- $SecretName2 = "$StorageAccountName-$SASname2"
- $regenerationPeriod = New-TimeSpan -Days 1 # Key rotation # of days (minimum 1 day)
- # Get a service principal, needs to be done once per vault
- $objectid = (Get-AzureRmADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093).Id
- # Assign permissions to the Key Vault, needs to be done once per vault
- Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $keyVaultResourceGroupName -objectID $objectid -PermissionsToStorage all
- # Assign permissions to the Storage Account (this will add a role under Access control (IAM) of the Storage Account)
- New-AzureRmRoleAssignment -ObjectId $objectid -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope "/subscriptions/$SubScriptionID/resourceGroups/$StorageAccountResourceGroup/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
- # The account SAS provides access to the blob service with different permissions.
- Add-AzureKeyVaultManagedStorageAccount -VaultName $keyVaultName -Name $StorageAccountName -AccountResourceId "/subscriptions/$SubScriptionID/resourceGroups/$StorageAccountResourceGroup/providers/Microsoft.Storage/storageAccounts/$StorageAccountName" -ActiveKeyName $StorageAccountKey -DisableAutoRegenerateKey
- # Key will be updated every day (minimum time is 1 day)
- $storageaccountid = "/subscriptions/$SubScriptionID/resourceGroups/$StorageAccountResourceGroup/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
- Add-AzureKeyVaultManagedStorageAccount -VaultName $keyVaultName -AccountResourceId $storageAccountId -AccountName "$StorageAccountName" -ActiveKeyName "$StorageAccountKey" -RegenerationPeriod $regenerationPeriod
- # Create Managed Storage SAS definitions
- Set-AzureKeyVaultManagedStorageSasDefinition -Service Blob -ResourceType Container,Service -VaultName $keyVaultName -AccountName $StorageAccountName -Name $SASname1 -Protocol HttpsOnly -ValidityPeriod $regenerationPeriod -Permission Read,List
- Set-AzureKeyVaultManagedStorageSasDefinition -Service Blob -ResourceType Container,Service,Object -VaultName $keyVaultName -AccountName $StorageAccountName -Name $SASname2 -Protocol HttpsOnly -ValidityPeriod $regenerationPeriod -Permission Read,List,Write
- # Get the SAS token from the Key vault
- $sasToken1 = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -SecretName $SecretName1).SecretValueText
- $sasToken2 = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -SecretName $SecretName2).SecretValueText
- # Upload file using the key vault token, do not use quotes around the StorageAccountName
- # Make sure the files abc.txt and file.txt exist
- # Contains should exists, fails when they are not there
- # This one one fails as it has no upload permissions (line 36)
- $context1 = New-AzureStorageContext -SasToken $sasToken1 -StorageAccountName $StorageAccountName
- Set-AzureStorageBlobContent -Container containertest1 -File "abc.txt" -Context $context1 -Force
- # This one succeeds, has upload permissions (line 37) until the key has been rotated (line 68) and a new token has been request (line 40)
- $context2 = New-AzureStorageContext -SasToken $sasToken2 -StorageAccountName $StorageAccountName
- Set-AzureStorageBlobContent -Container cont1-file "file.txt" -Context $context2 -Force
- ########## Other Key Vault functionalities ##########
- # Gets a Key Vault managed Azure Storage Accounts
- Get-AzureKeyVaultManagedStorageAccount -VaultName $keyVaultName
- # Removes a Key Vault managed Azure Storage Account
- Remove-AzureKeyVaultManagedStorageAccount -AccountName $StorageAccountName -VaultName $keyVaultName -Force
- # Update key manually, this will make the current token useless and a new token must be requested
- # Keyname is case sensitive
- Update-AzureKeyVaultManagedStorageAccountKey -VaultName $keyVaultName -AccountName $StorageAccountName -KeyName $StorageAccountKey -Force
- # Remove the Azure Key Vault Secrets entry
- Remove-AzureKeyVaultManagedStorageSasDefinition -AccountName $StorageAccountName -Name $SASname1 -VaultName $keyVaultName -Force
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement