Azure Key Vaults: Assign Access Policies to multiple objects using PowerShell
In this blog I will share one way to assign a key vault access policies to multiple applications, security groups or users using PowerShell.
My blog has relatively simple, and sometimes complex, examples and I’m hoping that you will be able to tailor them to your need or use them in your own scripts.
To assign access policies to a single applications, security groups or users, review Azure Key Vaults: Assign Access Policies to a single object using PowerShell.
The approach in this blog can also be used to assign access policy to a single application, security group or user by having a single entry in the array variables defined in the scrips.
Prerequisites
- Install Azure PowerShell if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
- Install Azure Active Directory PowerShell module if you haven’t already. You can use Cloud Shell if you prefer to stay within Azure Portal.
- A key vault already created. You can use Quickstart: Create a key vault using the Azure portal to create one.
Introduction
The goal of this blog is to show one way to accomplish a task. It is not to show how to write a perfect script, the perfect solution to a challenge or the perfect process to accomplish a task.
Because key vault supports up to 1024 access policy entries, it is recommended to assign access policies to groups of users, where possible, rather than individual users.
Using PowerShell, I will show you how to assign a key vault access policies to:
- Multiple applications, security groups or users.
PowerShell Cmdlets
- Connect-AzAccount Connect to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
- Set-AzContext Sets the tenant, subscription, and environment for cmdlets to use in the current session.
- Get-AzADGroup Filters active directory groups.
- Set-AzKeyVaultAccessPolicy Grants or modifies existing permissions for a user, application, or security group to perform operations with a key vault. The cmdlet will be used with the following parameters: -VaultName, -UserPrincipalName, -ObjectId, -ServicePrincipalName, -PermissionsToKeys, and -PermissionsToSecrets.
By default, Set-AzKeyVaultAccessPolicy does not generate any output. Use -PassThru to returns an object representing the item with which you are working.
Sign in to Azure
- Sign in to Azure. If you have multiple subscriptions or tenants, make sure to sign in to the correct subscription.
- You can use Set-AzContext to set the tenant, subscription, and environment for cmdlets to use in the current session.
1 |
Connect-AzAccount -Subscription "aa1111a1-1111-1a1a-11a1-1111a1a1a1a1" |
Assign same or different access policies to multiple user using -UserPrincipalName
The following table lists users’ principal name and access policies to be assigned to each one.
User’s Principal Name | Access Policies – Keys | Access Policies – Secrets |
User01@contsodev.com | all | get,list |
User02@contsodev.com | get,list,delete | set,get,list,delete |
User03@contsodev.com | encrypt,decrypt | backup,restore |
We start by saving users’ principle names in an array and save corresponding access policies for each user in another arrays. For each user in the array, assign the required access policy.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# Key vault name $VaultName = 'kv-sql-secrets-dev' # Users' principal names array $UsersPN = @("User01@saadkhamis.com","User02@saadkhamis.com","User03@saadkhamis.com") # Users' keys access policies array $KeysAP = @("all","get,list,delete","encrypt,decrypt") # Users' secrets access policies array $SecretsAP = @("get,list","set,get,list,delete","backup,restore") For ($i = 0; $i -lt $UsersPN.Length; $i++) { Write-Host "*** Granting access policies to [$($UsersPN[$i])]" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UsersPN[$i] ` -PermissionsToKeys ($KeysAP[$i]).Split(',') -PermissionsToSecrets ($SecretsAP[$i]).Split(',') } Write-Host "*** Completed" |
As you can see we are using one Set-AzKeyVaultAccessPolicy command line to assign access policies for both keys and secrets. How about if a user does not require access to keys, secrets, etc. Consider the following example:
User’s Principal Name | Access Policies – Keys | Access Policies – Secrets |
User01@contsodev.com | all | get,list |
User02@contsodev.com | No access | set,get,list,delete |
User03@contsodev.com | encrypt,decrypt | No access |
To accommodate this scenario, we will have a Set-AzKeyVaultAccessPolicy command line for each permission and use an if statement to check if the user requires the permission or not.
The following example handles the above scenario. It includes permission for keys and secrets. You can easily add checks for other permissions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# Key vault name $VaultName = 'kv-sql-secrets-dev' # Users principal names array $UsersPN = @("User01@saadkhamis.com","User02@saadkhamis.com","User03@saadkhamis.com") # Users keys access policies array $KeysAP = @("all","","encrypt,decrypt") # Users secrets access policies array $SecretsAP = @("get,list","set,get,list,delete","") For ($i = 0; $i -lt $UsersPN.Length; $i++) { Write-Host "*** Granting access policies to [$($UsersPN[$i])]" #Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UsersPN[$i] -PermissionsToKeys @() -PermissionsToSecrets @() if ($KeysAP[$i] -eq "") { Write-Host "Skipping assiging access policies for keys" } else { Write-Host "Assiging access policies [$($KeysAP[$i])] for keys" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UsersPN[$i] -PermissionsToKeys ($KeysAP[$i]).Split(',') } if ($SecretsAP[$i] -eq "") { Write-Host "Skipping assiging access policies for secrets" } else { Write-Host "Assiging access policies [$($SecretsAP[$i])] for secrets" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $UsersPN[$i] -PermissionsToSecrets ($SecretsAP[$i]).Split(',') } } Write-Host "*** Completed" |
Assign same or different access policies to multiple security group using -ObjectId
In order to assign access policies to a security group, the security group object Id is needed. The Get-AzADGroup cmdlet is used to get the security group object Id. You can:
- Save the result of Get-AzADGroup in a variable then use the variable or
- Get security group object Id inline in the same command line. The advantage of the first method is the ability to check validate the group name. I will show you both method.
Consider the following example:
Group Name | Access Policies – Keys | Access Policies – Secrets |
Group01 | all | get,list |
Group02 | No access | set,get,list,delete |
Group03 | encrypt,decrypt | No access |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# Key vault name $VaultName = 'kv-sql-secrets-dev' # Groups name array $Groups = @("Group01","Group02","Group03") # Groups keys access policies array $KeysAP = @("all","","encrypt,decrypt") # Groups secrets access policies array $SecretsAP = @("get,list","set,get,list,delete","") # 1. Save the result of Get-AzADGroup in a variable then use the variable For ($i = 0; $i -lt $Groups.Length; $i++) { Write-Host "*** Granting access policies to [$($Groups[$i])]" $GroupId = (Get-AzADGroup | Where {$_.DisplayName -eq $Groups[$i]}).Id if ($GroupId -eq $null) { # Security group does not exist, write an error message Write-Host "[$GroupName] does not exist" -ForegroundColor Red } else { # Security group exists, grants the security group permissions if ($KeysAP[$i] -eq "") { Write-Host "Skipping assiging access policies for keys" } else { Write-Host "Assiging access policies [$($KeysAP[$i])] for keys" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $GroupId -PermissionsToKeys ($KeysAP[$i]).Split(',') } if ($SecretsAP[$i] -eq "") { Write-Host "Skipping assiging access policies for secrets" } else { Write-Host "Assiging access policies [$($SecretsAP[$i])] for secrets" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $GroupId -PermissionsToSecrets ($SecretsAP[$i]).Split(',') } } } Write-Host "*** Completed" # OR # 2. Get security group object Id inline in the same command line For ($i = 0; $i -lt $Groups.Length; $i++) { Write-Host "*** Granting access policies to [$($Groups[$i])]" #Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId (Get-AzADGroup | Where {$_.DisplayName -eq $Groups[$i]}).Id -PermissionsToKeys @() -PermissionsToSecrets @() if ($KeysAP[$i] -eq "") { Write-Host "Skipping assiging access policies for keys" } else { Write-Host "Assiging access policies [$($KeysAP[$i])] for keys" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId (Get-AzADGroup | Where {$_.DisplayName -eq $Groups[$i]}).Id -PermissionsToKeys ($KeysAP[$i]).Split(',') } if ($SecretsAP[$i] -eq "") { Write-Host "Skipping assiging access policies for secrets" } else { Write-Host "Assiging access policies [$($SecretsAP[$i])] for secrets" Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId (Get-AzADGroup | Where {$_.DisplayName -eq $Groups[$i]}).Id -PermissionsToSecrets ($SecretsAP[$i]).Split(',') } } Write-Host "*** Completed" |
Conclusion
In this blog we explored how to assign a key vault access policies to multiple users and multiple security groups using PowerShell.
Did you find this blog easy to follow and helpful to you? Let me know in the comments below.
Disclaimer
Purpose of the code contained in blog is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.
There's no comments