Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Working With Azure Key Vault Using Azure PowerShell and AzureCLI

This is second part of Create key vault and secrets with access policies in Microsoft Azure, In the this article I will use Powershell and Azure CLI to create and configure Azure Key Vault resource service. Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. In the first example In the first example I am using Microsoft Powershell Az module to deploy and configure Key vault.

Connect-AzAccount The 'Connect-AzAccount' command was found in the module 'Az.Accounts', but the module could not be loaded
Powershell Azure Az module Install-Package cannot convert value 2.0.0-preview to type system.version

PowerShell Az module example
First cmdlet connects to azure using az module and creates a new key vault resource. Download this script here or available on github.com.

#Login to the Azure Account Connect-AzAccount

Account                SubscriptionName         TenantId                             Environment
-------                ----------------         --------                             -----------
janvi@vcloud-lab.com   Sponsership-by-Microsoft 3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx AzureCloud

#Create a new Azure Key vault resource, I have already created a Resource groupNew-AzKeyVault -Name vCloud01Vault -ResourceGroupName vcloud-lab.com -Location 'East US' -Sku Standard

Vault Name                          : vCloud01Vault
Resource Group Name                 : vcloud-lab.com
Location                            : East US
Resource ID                         : /subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud01Vault
Vault URI                           : https://vcloud01vault.vault.azure.net/
Tenant ID                           : 3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SKU                                 : Standard
Enabled For Deployment?             : False
Enabled For Template Deployment?    : False
Enabled For Disk Encryption?        : False
Enabled For RBAC Authorization?     : False
Soft Delete Enabled?                : True
Enabled Purge Protection?           :
Soft Delete Retention Period (days) : 90
Enabled Purge Protection?           :
Access Policies                     :
                                      Tenant ID                                  : 3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                                      Object ID                                  : 3863xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                                      Application ID                             :
                                      Display Name                               : Janvi (janvi@vcloud-lab.com)
                                      Permissions to Keys                        : get, create, delete, list, update, import, backup, restore, recover
                                      Permissions to Secrets                     : get, list, set, delete, backup, restore, recover
                                      Permissions to Certificates                : get, delete, list, create, import, update, deleteissuers, getissuers, listissuers, managecontacts, 
                                      manageissuers, setissuers, recover, backup, restore
                                      Permissions to (Key Vault Managed) Storage : delete, deletesas, get, getsas, list, listsas, regeneratekey, set, setsas, update, recover,        
                                      backup, restore


Network Rule Set                    :
                                      Default Action                             : Allow
                                      Bypass                                     : AzureServices
                                      IP Rules                                   :
                                      Virtual Network Rules                      :

Tags 

#View the information of installed KeyVault
> Get-AzkeyVault -VaultName vCloud01Vault                               :

Microsoft Azure Key vault connect-azaccount tenantid subscription environment azurecloud resource group new-azkeyvault sku location vault uri network rule access policies.png

Once Key vault is created in azure, generate a secret on it with encrypted password string, next configure Access policy to provide access on key vault secret to Azure AD user principal.

#Encrypt password string and create/genrate Key vault secret$secretValue = ConvertTo-SecureString -String 'T0p$ecret' -AsPlainText -ForceSet-AzKeyVaultSecret -VaultName vCloud01Vault -Name RootSecret -SecretValue $secretValue -ContentType 'ESXi root password'

Vault Name   : vcloud01vault
Name         : RootSecret
Version      : a97eabdb6cd0499fb30721b0a4784a87
Id           : https://vcloud01vault.vault.azure.net:443/secrets/RootSecret/a97eabdb6cd0499fb30721b0a4784a87
Enabled      : True
Expires      :
Not Before   :
Created      : 06-04-2021 16:53:14
Updated      : 06-04-2021 16:53:14
Content Type : ESXi root password
Tags         :

#Configure Access Policy for Azure key vault
> Set-AzKeyVaultAccessPolicy -VaultName vCloud01Vault -UserPrincipalName vaultviewer@vcloud-lab.com -PermissionsToSecrets Get,List

Microsoft azure portal convertto-securestring asplaintext set-azkeyvaultsecret powershell az module subscription tenant id content type set-azkeyvaultaccesspolicy vaultname userprincipalname azuread.png

I have already create a new user account vaultviewer on Azure Active directory for testing Creating a new user in Azure AD using oneliner PowerShell and Azure CLI. Next get and store the key vault information in variable to know ResourceID which I will use when assinging role (Key Vault Reader) to user principal on the keyvault. (In my case user principal name is vaultviewer)

#Get information of Key Vault, and grab Resource ID.$keyVault = Get-AzkeyVault -VaultName vCloud01Vault$keyVault.ResourceID

/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud01Vault
                                                                                                                                           [19:19]
#Add user role assignement to Key vaultNew-AzRoleAssignment -SignInName vaultviewer@vcloud-lab.com -RoleDefinitionName 'Key Vault Reader' -Scope $keyVault.ResourceID

RoleAssignmentId   : /subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud01Vault/providers/Microsoft.Authoriza
                     tion/roleAssignments/a0930a57-59f4-4429-942a-23722cd25ec6
Scope              : /subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud01Vault
DisplayName        : vault viewer
SignInName         : vaultviewer@vcloud-lab.com
RoleDefinitionName : Key Vault Reader
RoleDefinitionId   : 21090545-7ca7-4776-b22c-e363652d74d2
ObjectId           : 8ab61685-c967-460d-8152-7d41b54449fe
ObjectType         : User
CanDelegate        : False
Description        :
ConditionVersion   :
Condition          : 

Microsoft azure portal powershell az module key vault secret get-azkeyvault vaultname resourceid new-azroleassignment signinname roledefinitionname key vault reader objectid scope.png

Logout of Azure powershell account with Disconnect-AzAccount and login with the user (in my case vaultviewer), Get the key vault secret and convert the secure string to readable plain text password with below commands.

#Login to the Azure with user principal (run Disconnect-AzAccount to log out from azure)Connect-AzAccount

#Get the azure key vault secret and convert the secure string to plaintext$keyVaultSecret = Get-AzKeyVaultSecret -VaultName vCloud01Vault -Name RootSecret
❯ $password = ConvertFrom-SecureString $keyVaultSecret.SecretValue -AsPlainText$password

T0p$ecret

Microsoft Azure Powershell az module azurerm arm get-azkeyvaultsecret vaultname convertfrom-securestring key vault secret key secretvalue asplaintext password certificate key vault.png

AzureCLI example

Login to the AzureCLI, All the Az command generate output in JSON format.

Microsoft powershell azure azurecli az login subscription azurecloud azure cli tenantid subscription microsoftonline oauth2 authorize azure key vault secret.png

az login

The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...
The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.
a59fb284-02ec-4a72-a79a-4a6b6105ab9d 'vcloud-lab.com'
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "id": "9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Sponsership-by-Microsoft",
    "state": "Enabled",
    "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "user": {
      "name": "janvi@vcloud-lab.com",
      "type": "user"
    }
  }
]

Create a new Azure Key Vault resource, note down the resource ID I will use it later in the command.

Microsoft Azure Powershell azure cli azurecli az keyvault create --name --resource-group --location --sku create key vault secret standard access policies.png

az keyvault create --name vCloud02Vault --resource-group vcloud-lab.com --location 'East US' --sku Standard

{
  "id": "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud02Vault",
  "location": "eastus",
  "name": "vCloud02Vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "38638e40-4971-4648-971d-2ee1f40724eb",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "vaultUri": "https://vcloud02vault.vault.azure.net/"
  },
  "resourceGroup": "vcloud-lab.com",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

Once key vault is created, setup a new secret and set attribute content type (description) on to it.

Microsoft azure powershell azurecli az keyvault secret set --vault-name -value secret password az keyvault secret set-attibutes --content-type tags automation powershell azure cli.png

az keyvault secret set --name RootSecret --vault-name vCloud02Vault --value 'P@ssw0rd'

{
  "attributes": {
    "created": "2021-04-08T07:57:29+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2021-04-08T07:57:29+00:00"
  },
  "contentType": null,
  "id": "https://vcloud02vault.vault.azure.net/secrets/RootSecret/03d6fd62056a4790a8982b1a75f320f8",
  "kid": null,
  "managed": null,
  "name": "RootSecret",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": "P@ssw0rd"
}
                                                                                                                                           [13:27]  
❯ az keyvault secret set-attributes --name RootSecret --vault-name vCloud02Vault --content-type 'Esxi Root Password'

{
  "attributes": {
    "created": "2021-04-08T07:57:29+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2021-04-08T07:57:39+00:00"
  },
  "contentType": "Esxi Root Password",
  "id": "https://vcloud02vault.vault.azure.net/secrets/RootSecret/03d6fd62056a4790a8982b1a75f320f8",
  "kid": null,
  "managed": null,
  "name": "RootSecret",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": null
}

Next get the complete information of AzureAD user whom i will provide Key vault access policy and role, Grab ObjectId from the list.

Microsoft azure portal az ad user show --id object id key vault powershell azurecli azure cli azure active directory azuread key vault secret certificate access policy.png

az ad user show --id vaultviewer@vcloud-lab.com

{
  "accountEnabled": true,
  "ageGroup": null,
  "assignedLicenses": [],
  "assignedPlans": [],
  "city": null,
  "companyName": null,
  "consentProvidedForMinor": null,
  "country": null,
  "createdDateTime": "2021-04-03T10:35:37Z",
  "creationType": null,
  "deletionTimestamp": null,
  "department": null,
  "dirSyncEnabled": null,
  "displayName": "vault viewer",
  "employeeId": null,
  "facsimileTelephoneNumber": null,
  "givenName": null,
  "immutableId": null,
  "isCompromised": null,
  "jobTitle": null,
  "lastDirSyncTime": null,
  "legalAgeGroupClassification": null,
  "mail": null,
  "mailNickname": "vaultviewer",
  "mobile": null,
  "objectId": "8ab61685-c967-460d-8152-7d41b54449fe",
  "objectType": "User",
  "odata.metadata": "https://graph.windows.net/3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.User",
  "onPremisesDistinguishedName": null,
  "onPremisesSecurityIdentifier": null,
  "otherMails": [],
  "passwordPolicies": null,
  "passwordProfile": null,
  "physicalDeliveryOfficeName": null,
  "postalCode": null,
  "preferredLanguage": null,
  "provisionedPlans": [],
  "provisioningErrors": [],
  "proxyAddresses": [],
  "refreshTokensValidFromDateTime": "2021-04-03T12:10:20Z",
  "showInAddressList": null,
  "signInNames": [],
  "sipProxyAddress": null,
  "state": null,
  "streetAddress": null,
  "surname": null,
  "telephoneNumber": null,
  "thumbnailPhoto@odata.mediaEditLink": "directoryObjects/8ab61685-c967-460d-8152-7d41b54449fe/Microsoft.DirectoryServices.User/thumbnailPhoto",
  "usageLocation": null,
  "userIdentities": [],
  "userPrincipalName": "vaultviewer@vcloud-lab.com",
  "userState": null,
  "userStateChangedOn": null,
  "userType": "Member"
}

Using the User Object ID and Key vault resource ID (earlier shown in the command) set a secret access policy on the keyvault. In the Json output you can see the newly provided access.

Microsoft azure portal az keyvault set-policy --object-id --secret-permissions powershell azure cli key vault secret key certificate access policies rbac role defination get list create delete tenant.png

az keyvault set-policy --name vCloud02Vault --object-id 8ab61685-c967-460d-8152-7d41b54449fe --secret-permissions get list

{
  "id": "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud02Vault",
  "location": "eastus",
  "name": "vCloud02Vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "38638e40-4971-4648-971d-2ee1f40724eb",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      },
      {
        "applicationId": null,
        "objectId": "8ab61685-c967-460d-8152-7d41b54449fe",
        "permissions": {
          "certificates": null,
          "keys": null,
          "secrets": [
            "list",
            "get"
          ],
          "storage": null
        },
        "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "vaultUri": "https://vcloud02vault.vault.azure.net/"
  },
  "resourceGroup": "vcloud-lab.com",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

After key vault access policy configuration, configure role (key vault reader) assignment access to the user on key vault ID got earlier.

Microsoft Azure Powershell Azurecli az role assignment create --assignee key vault azure ad active directory --role reader subscriptions resourcegroup provider certificate.png

az role assignment create --assignee vaultviewer@bishopal.com --role 'Key Vault Reader' --scope /subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud02Vault

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud02Vault/providers/Microsoft.Authorization/roleAssignments/5dd58787-27c1-4e91-939b-20ac020f5652",
  "name": "5dd58787-27c1-4e91-939b-20ac020f5652",
  "principalId": "8ab61685-c967-460d-8152-7d41b54449fe",
  "principalType": "User",
  "resourceGroup": "vcloud-lab.com",
  "roleDefinitionId": "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "scope": "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.KeyVault/vaults/vCloud02Vault",
  "type": "Microsoft.Authorization/roleAssignments"
}

Re login to the azure with vaultviewer account to test if you can access and show/Retrieve secret value from the azure key vault.

Microsoft powershell azure az module az login az keyvault secret show key vault --vault-name secret value root password azure password vault root secret tenant subscription azure ad active directory.png

az login
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "id": "9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Sponsership-by-Microsoft",
    "state": "Enabled",
    "tenantId": "3b80xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "user": {
      "name": "vaultviewer@vcloud-lab.com",
      "type": "user"
    }
  }
]

❯ az keyvault secret show --name RootSecret --vault-name vCloud02Vault
{
  "attributes": {
    "created": "2021-04-08T07:57:29+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2021-04-08T07:57:39+00:00"
  },
  "contentType": "Esxi Root Password",
  "id": "https://vcloud02vault.vault.azure.net/secrets/RootSecret/03d6fd62056a4790a8982b1a75f320f8",
  "kid": null,
  "managed": null,
  "name": "RootSecret",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": "P@ssw0rd"
}

Download this script here or available on github.com.

Useful Articles
CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE  
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

Go Back

Comment

Blog Search

Page Views

11240767

Follow me on Blogarama