iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🔐

How to configure Azure Key Vault RBAC permissions using Azure PowerShell

に公開
Azure
PowerShell
rbac
Key Vault
tech

Solution

Here is a script to set Key Vault RBAC permissions using Azure PowerShell:

# Log in to Azure PowerShell
Connect-AzAccount

# Get Object ID of the current user
$currentUser = Get-AzADUser -SignedIn
$currentUserObjectId = $currentUser.Id

# Set Key Vault information
$keyVaultName = "your-key-vault-name"
$resourceGroupName = "your-resource-group-name"

# Get resource ID of the Key Vault
$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName
$keyVaultId = $keyVault.ResourceId

# Get required role definitions
$secretsOfficerRole = Get-AzRoleDefinition "Key Vault Secrets Officer"
$cryptoOfficerRole = Get-AzRoleDefinition "Key Vault Crypto Officer"

# Role assignment
New-AzRoleAssignment -ObjectId $currentUserObjectId -RoleDefinitionId $secretsOfficerRole.Id -Scope $keyVaultId
New-AzRoleAssignment -ObjectId $currentUserObjectId -RoleDefinitionId $cryptoOfficerRole.Id -Scope $keyVaultId

# Display results
Write-Host "RBAC roles have been successfully assigned."
Write-Host "Key Vault Name: $keyVaultName"
Write-Host "Resource Group: $resourceGroupName"
Write-Host "User Object ID: $currentUserObjectId"
Write-Host "Assigned Roles: Key Vault Secrets Officer, Key Vault Crypto Officer"

Explanation

This Azure PowerShell script operates through the following steps:

  1. Log in to Azure PowerShell.
  2. Retrieve the Object ID of the current user.
  3. Retrieve the resource ID of the specified Key Vault.
  4. Retrieve the definitions for the required roles (Secrets Officer and Crypto Officer).
  5. Assign both roles to the current user.
  6. Display the processing results.

Additional Information

  • Before running this script, ensure that the Azure PowerShell module is installed.
  • Replace your-key-vault-name and your-resource-group-name in the script with actual values.
  • This script only works for Key Vaults that have RBAC enabled.
  • The user running the script must have the authority to assign roles for the Key Vault.

For security reasons, it is recommended to grant only the minimum necessary permissions.

Discussion