Azure Key Vaults: Assign Access Policies to multiple objects using PowerShell

By Saad Khamis

October 9, 2021

9866 views

In this blog I will share one way to assign a key vault access policies to multiple applications, security groups or users using PowerShell.

My blog has relatively simple, and sometimes complex, examples and I’m hoping that you will be able to tailor them to your need or use them in your own scripts.

To assign access policies to a single applications, security groups or users, review Azure Key Vaults: Assign Access Policies to a single object using PowerShell.

The approach in this blog can also be used to assign access policy to a single application, security group or user by having a single entry in the array variables defined in the scrips.

Prerequisites

  1. Install Azure PowerShell if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
  2. Install Azure Active Directory PowerShell module if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
  3. A key vault already created. You can use Quickstart: Create a key vault using the Azure portal to create one.

Introduction

The goal of this blog is to show one way to accomplish a task. It is not to show how to write a perfect script, the perfect solution to a challenge or the perfect process to accomplish a task.

Because key vault supports up to 1024 access policy entries, it is recommended to assign access policies to groups of users, where possible, rather than individual users.

Using PowerShell, I will show you how to assign a key vault access policies to:

  1. Multiple applications, security groups or users.

PowerShell Cmdlets

  1. Connect-AzAccount Connect to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
  2. Set-AzContext Sets the tenant, subscription, and environment for cmdlets to use in the current session.
  3. Get-AzADGroup Filters active directory groups.
  4. Set-AzKeyVaultAccessPolicy Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault. The cmdlet will be used with the following parameters: -VaultName-UserPrincipalName-ObjectId-ServicePrincipalName-PermissionsToKeys, and -PermissionsToSecrets.
    By default, Set-AzKeyVaultAccessPolicy does not generate any output. Use -PassThru to returns an object representing the item with which you are working.

Sign in to Azure

  1. Sign in to Azure. If you have multiple subscriptions or tenants, make sure to sign in to the correct subscription.
  2. You can use Set-AzContext to set the tenant, subscription, and environment for cmdlets to use in the current session.

Assign same or different access policies to multiple user using -UserPrincipalName

The following table lists users’ principal name and access policies to be assigned to each one.

User’s Principal Name Access Policies – Keys Access Policies – Secrets
User01@contsodev.com all get,list
User02@contsodev.com get,list,delete set,get,list,delete
User03@contsodev.com encrypt,decrypt backup,restore

We start by saving users’ principle names in an array and save corresponding access policies for each user in another arrays. For each user in the array, assign the required access policy.

As you can see we are using one Set-AzKeyVaultAccessPolicy command line to assign access policies for both keys and secrets. How about if a user does not require access to keys, secrets, etc. Consider the following example:

User’s Principal Name Access Policies – Keys Access Policies – Secrets
User01@contsodev.com all get,list
User02@contsodev.com No access set,get,list,delete
User03@contsodev.com encrypt,decrypt No access

To accommodate this scenario, we will have a Set-AzKeyVaultAccessPolicy command line for each permission and use an if statement to check if the user requires the permission or not.

The following example handles the above scenario. It includes permission for keys and secrets. You can easily add checks for other permissions.

Assign same or different access policies to multiple security group using -ObjectId

In order to assign access policies to a security group, the security group object Id is needed. The Get-AzADGroup cmdlet is used to get the security group object Id. You can:

  1. Save the result of Get-AzADGroup in a variable then use the variable or
  2. Get security group object Id inline in the same command line. The advantage of the first method is the ability to check validate the group name. I will show you both method.

Consider the following example:

Group Name Access Policies – Keys Access Policies – Secrets
Group01 all get,list
Group02 No access set,get,list,delete
Group03 encrypt,decrypt No access

Conclusion

In this blog we explored how to assign a key vault access policies to multiple users and multiple security groups using PowerShell.

Did you find this blog easy to follow and helpful to you? Let me know in the comments below.

Disclaimer

Purpose of the code contained in blog is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.

Comments

There's no comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

List all AWS Certificate Manager certificates

By Saad Khamis 14411 views July 31, 2024

Get all AWS EBS snapshots across all profiles and regions

By Saad Khamis 18768 views June 26, 2024