Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure Key Vault Access Policy Doesn't Work For Groups

Tags:

azure

azure-active-directory

azure-keyvault

Access policies via groups on Azure Key Vault don't seem to work.

If I create a new key vault 

 New-AzureRmKeyVault -VaultName $vaultName

And check the keys (which there aren't any of currently) 

 Get-AzureKeyVaultKey -VaultName $vaultName

That works.

If I add access to a group that the current user is a member of 

$group = (Get-AzureRmADGroup -SearchString 'All Developers')[0].Id
Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $group -PermissionsToKeys all -PermissionsToSecrets all

And remove direct access

Remove-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -UserPrincipalName $upn

The list operation now fails

Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName

Get-AzureKeyVaultKey : Operation "list" is not allowed

How can I permission by group?

like image 480
Jeff Avatar asked Feb 23 '16 21:02

Jeff

1 Answers

The reason that adding an access policy to a group is that it isn't supported. If you look at the help for Set-AzureRmKeyVaultAccessPolicy there is this for ObjectId 

-ObjectId <Guid>
    Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.

    Required?                    true
    Position?                    named
    Default value                none
    Accept pipeline input?       true(ByPropertyName)
    Accept wildcard characters?  false

As you can see ObjectId only supports either Service principals or users.

This is reflected in the parameters of the source code for Set-AzureRmKeyVaultAccessPolicy and further up the chain the REST API when posting to 

    https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}?api-version={api-version}

The payload contains the objectId parameter which is defined as

Specifies the object ID of a user or service principal in the Azure Active Directory tenant for the vault. The ID must be specified as a GUID.

I would imagine that this functionality will be added at some point in future, but at the moment it isn't possible.

like image 127
Michael B Avatar answered Oct 13 '22 14:10

Michael B
Sign in to Comment

Related questions

Azure Storage Simulator performance issues
How do I deduce path to Azure SDK csrun.exe conveniently?
Read azure ServiceConfiguration file's certificate section using c#
Windows Azure and SFTP
Tracking specific method calls
Failed to download RDP file for instance abc_webrole_IN_0 in cloud service testingservicecall
Change configuration on azure website when using GIT to deploy
Encrypt Web.config Windows Azure
Unable to create Azure Mobile Service: Error 500
Create Azure VM from image created under different subscription
Getting a Message by MessageId on the Azure Service Bus Dead Letter queue
MVC and Less bundles - not working in Release deployed to Azure
Batch delete in Windows Azure Table Storage
Diagnosing dropped notifications from Azure Notification Hub to APNS
NReco PDF has black squares on Azure
Azure release build not showing bundles
Should I put my events inside a queue after getting them from Azure Event Hub?
azure virtual machine persistent SSD warning DATALOSS_WARNING_README.txt
Deploy multiple project solution to azure
Upload file directly to Azure Blob Storage (with SAS) using dropzone.js

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!