Skip to content

Commit

Permalink
replace policies with roles in kv (#267)
Browse files Browse the repository at this point in the history 
Co-authored-by: Hattan Shobokshi <[email protected]>
  • Loading branch information
@PabloZaiden @hattan
PabloZaiden and hattan authored Jul 22, 2024
1 parent 8f42ba8 commit 0615d6f
Showing 1 changed file with 18 additions and 9 deletions.
27 changes: 18 additions & 9 deletions scripts/install/provision.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,10 @@ deploy_dependencies() {
_information "Creating Key Vault: ${KV_NAME}"
kv_id=$(create_kv | jq -r .id)

# Create KV role assignment for the current logged in user
local _current_az_user=$(az ad signed-in-user show --query id -o tsv)
create_kv_role_assignment "Key Vault Administrator" "${_current_az_user}" "${KV_NAME}"

# Create SA
_information "Creating Storage Account: ${SA_NAME}"
create_sa "${SA_NAME}" "Standard_LRS" "SystemAssigned"
Expand Down Expand Up @@ -241,8 +245,8 @@ deploy_dependencies() {
clientId=$(echo "${sp_reader_obj}" | jq -r .appId)
set_kv_secret 'readerClientId' "${clientId}" "${KV_NAME}"

_information "Assign access policies for Reader Service Principal (${SP_READER_NAME}) to Key Vault ${KV_NAME}"
set_kv_secret_policies "${KV_NAME}" "${clientId}"
_information "Assign Reader role for Reader Service Principal (${SP_READER_NAME}) to Key Vault ${KV_NAME}"
create_kv_role_assignment "Key Vault Reader" "${clientId}" "${KV_NAME}"

_information "Saving Reader Service Principal (${SP_READER_NAME}) to Key Vault secret 'readerClientSecret'."
clientSecret=$(echo "${sp_reader_obj}" | jq -r .password)
Expand Down Expand Up @@ -339,6 +343,18 @@ create_kv() {
az keyvault create --resource-group "${RG_NAME}" --location "${LOCATION}" --name "${KV_NAME}" --enabled-for-template-deployment true --public-network-access Enabled
}

create_kv_role_assignment() {
local _role="${1}"
local _sp_app_id="${2}"
local _kvName="${3}"

local _scope=$(az keyvault show --name "${_kvName}" --query id -o tsv)
az role assignment create --role "${_role}" --assignee "${_sp_app_id}" --scope "${_scope}"

_information "sleep for 20 seconds to allow the role assignment to take effect"
sleep 20
}

create_sp() {
local _display_name="${1}"
local _role="${2}"
Expand Down Expand Up @@ -388,10 +404,3 @@ set_kv_secret() {

az keyvault secret set --name "${_name}" --value "${_value}" --vault-name "${_vault_name}"
}

set_kv_secret_policies() {
local _vault_name="${1}"
local _sp_app_id="${2}"

az keyvault set-policy --name "${_vault_name}" --secret-permissions get list backup restore --spn "${_sp_app_id}"
}

0 comments on commit 0615d6f

Please sign in to comment.