azure key vault permisions

0
votes

We are facing an issue while setting the permission for a backup management service(262044b1-e2ce-469f-a196-69ab7ada62d3) in the key vault.

We are running the below code in a automation account with a service principal which do not have permission to Windows Azure Directory and Microsoft graph.

Set-AzureRmKeyVaultAccessPolicy -VaultName MAHSEN-KEY-00010-DEV -ResourceGroupName MAHSBC-RGP-DEV-ARM-TEMPLATE-008 -AzureRmContext $context -PermissionsToSecrets backup,get,list -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3

We get the error “Insufficient privileges to complete the operation”.

When, we run the same code where the automation account has permission to the Windows Azure Active Directory with “Read directory data” permissions, we are able to run the commands successfully as shown below in the screen shots.

Can you please confirm, if the Windows Azure Active Directory permissions are required to use Set-AzureRmKeyVaultAccessPolicy command?

enter image description here

enter image description here

1
azureazure-keyvault

1 Answers

4
votes

Key Vault access policies are based on AAD object IDs. When calling the Set-AzureRmKeyVaultAccessPolicy and specifying a ServicePrincipal, or anything other than ObjectId, the cmdlet needs to translate the ServicePrincipal to an AAD object ID by querying AAD directly. This is done before calling to Key Vault with the updated policy.

To prevent the need for an AAD query, lookup the object ID of the service principal ahead of time. Then pass the object ID to the 'ObjectId' parameter. You should also pass the 'BypassObjectIdValidation' parameter to indicate that the cmdlet should not try to validate the value of the ObjectID parameter with AAD,

You can look up the object ID of a service principal by running the following command while signed in as a user that has query permissions in AAD.

Get-AzureRmADServicePrincipal -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3

Use the returned 'Id:' field in your Set-AzureRmKeyVaultAccessPolicy command like this:

Set-AzureRmKeyVaultAccessPolicy -VaultName VNAME -ResourceGroupName RGROUP -AzureRmContext $context -PermissionsToSecrets backup,get,list -ObjectID 00000000-0000-0000-0000-000000000000 -BypassObjectIdValidation

Where 00000000-0000-0000-0000-000000000000 should be replace by the actual object ID of your service principal.