Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #this scripts will create keyvault, assign permissions to users, apps, and groups.
- #pipeline service principal App ObjectID will be assigned list,get and set permissions.
- [CmdletBinding()]
- Param(
- [Parameter(Mandatory=$true)]$location,
- [Parameter(Mandatory=$true)]$resourceGroupName,
- [Parameter(Mandatory=$true)]$keyVaultName,
- [Parameter(Mandatory=$true)]$secretName,
- [Parameter(Mandatory=$true)]$secretValue,
- [Parameter(Mandatory=$true)]$keyVaultUsers,
- [Parameter(Mandatory=$true)]$svcPrincipalAppObjectId
- )
- Write-Host "Starting to Create the Key Vault"
- # Create new resource group if not exists.
- $rgAvail = Get-AzResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue
- if(!$rgAvail){
- New-AzResourceGroup -Name $resourceGroupName -Location $location
- }
- # Create new key vault if not exists. (enabling it for Disk Encryption, Deployment and Template Deployment)
- $kvAvail = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue
- if(!$kvAvail){
- New-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Location $location -Sku 'Standard' -EnabledForDiskEncryption -EnabledForDeployment -EnabledForTemplateDeployment
- # Wait few seconds for DNS entry to propagate
- Start-Sleep -Seconds 15
- #give permissions to service principal to create secrets
- Set-AzKeyVaultAccessPolicy -BypassObjectIdValidation -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ObjectId $svcPrincipalAppObjectId -PermissionsToKeys list,get -PermissionsToSecrets list,get,set -PermissionsToCertificates list,get
- # Add the Administrator policies to the Key Vault
- foreach ($adminUser in $keyVaultUsers.Split(',')) {
- #$UserObjectId = (Get-AzureRmADUser -SearchString $adminUser).Id
- #Write-Host "Connection Key Vault URL is " $adminUser
- Set-AzKeyVaultAccessPolicy -BypassObjectIdValidation -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ObjectId $adminUser -PermissionsToKeys list,get -PermissionsToSecrets list,get -PermissionsToCertificates list,get
- }
- }
- # Add or update a secret to key vault.
- $secretVal = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
- $secret = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName -SecretValue $secretVal
- Write-Host "Connection Key Vault URL is " $secret
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement