如何导入密钥库访问策略?
How to import key vault access policies?
正在尝试将多个访问策略导入 Azure 订阅中的多个密钥保管库。
我能够导出并填充到 CSV 中,正是我需要的。
我遇到的问题是 import-csv foreach-object。因为 Key Vault 需要在权限密钥、机密和证书上使用逗号分隔值,所以它无法与我的命令一起使用,因为它正在寻找单个变量。
例子。 -PermissionsToKeys 全部、获取、更新
我的 PowerShell 命令。
Import-Csv -Path "C:\temp\kv-policies.csv" | ForEach-Object {
Set-AzKeyVaultAccessPolicy -VaultName $_.KeyVaultName -UserPrincipalName $_.UPN -PermissionsToCertificates $_.PermissionsToCertificatesStr -PermissionsToKeys $_.PermissionsToKeysStr -PermissionsToSecrets $_.PermissionsToSecretsStr}
错误
Set-AzKeyVaultAccessPolicy:无法验证参数 'PermissionsToCertificates' 的参数。参数“字符串
Substring(int startIndex), string Substring(int startIndex, int length)”不属于集合“all,get,list,delet
e、创建、导入、更新、管理联系人、getissuers、listissuers、setissuers、deleteissuers、manageissuers、恢复、清除、backu
p,restore" 由 ValidateSet 属性指定。提供集合中的参数,然后尝试命令
再次。
在 line:2 char:112
- ... sionsToCertificates $_.PermissionsToCertificatesStr.Substring -Permis ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidData: (:) [Set-AzKeyVaultAccessPolicy], ParameterBindingValidationException
- FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAcces
政策
我试过测试你的场景,但因为我们正在为多个用户和多个权限做,所以使用 Powershell 更新访问策略是一个限制。所以,建议使用ARM模板分配多个策略。
如果它是多个用户和单一权限,那么您可以使用您的 Powershell 脚本。
第 1 步: 要为用户添加多重访问策略,您需要获取 azure ad 中出现的用户的 objectID。
您可以使用 CLI 命令:
az ad user show --id "upn" --query "objectId"
第 2 步:然后您可以使用以下模板将多个访问策略添加到 Keyvault。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN1ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"UnwrapKey",
"WrapKey"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN2ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Import",
"Update",
"Create"
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN3ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
]
}
}
]
}
第 4 步:现在在 Powershell 中 Connect-Azaccount 并使用以下命令执行模板。
New-AzResourceGroupDeployment -ResourceGroupName "keyvaultresourcegroup" -TemplateFile kvpolicies.json
它会询问您的密钥保管库名称,提供它后您将成功将访问策略添加到密钥保管库。
输出:
参考:
Create an Azure key vault and a vault access policy by using ARM template | Microsoft Docs
正在尝试将多个访问策略导入 Azure 订阅中的多个密钥保管库。
我能够导出并填充到 CSV 中,正是我需要的。
我遇到的问题是 import-csv foreach-object。因为 Key Vault 需要在权限密钥、机密和证书上使用逗号分隔值,所以它无法与我的命令一起使用,因为它正在寻找单个变量。
例子。 -PermissionsToKeys 全部、获取、更新
我的 PowerShell 命令。
Import-Csv -Path "C:\temp\kv-policies.csv" | ForEach-Object {
Set-AzKeyVaultAccessPolicy -VaultName $_.KeyVaultName -UserPrincipalName $_.UPN -PermissionsToCertificates $_.PermissionsToCertificatesStr -PermissionsToKeys $_.PermissionsToKeysStr -PermissionsToSecrets $_.PermissionsToSecretsStr}
错误
Set-AzKeyVaultAccessPolicy:无法验证参数 'PermissionsToCertificates' 的参数。参数“字符串 Substring(int startIndex), string Substring(int startIndex, int length)”不属于集合“all,get,list,delet e、创建、导入、更新、管理联系人、getissuers、listissuers、setissuers、deleteissuers、manageissuers、恢复、清除、backu p,restore" 由 ValidateSet 属性指定。提供集合中的参数,然后尝试命令 再次。 在 line:2 char:112
- ... sionsToCertificates $_.PermissionsToCertificatesStr.Substring -Permis ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : InvalidData: (:) [Set-AzKeyVaultAccessPolicy], ParameterBindingValidationException
- FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAcces 政策
我试过测试你的场景,但因为我们正在为多个用户和多个权限做,所以使用 Powershell 更新访问策略是一个限制。所以,建议使用ARM模板分配多个策略。
如果它是多个用户和单一权限,那么您可以使用您的 Powershell 脚本。
第 1 步: 要为用户添加多重访问策略,您需要获取 azure ad 中出现的用户的 objectID。
您可以使用 CLI 命令:
az ad user show --id "upn" --query "objectId"
第 2 步:然后您可以使用以下模板将多个访问策略添加到 Keyvault。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN1ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"UnwrapKey",
"WrapKey"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN2ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Import",
"Update",
"Create"
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "UPN3ObjectID",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
]
}
}
]
}
第 4 步:现在在 Powershell 中 Connect-Azaccount 并使用以下命令执行模板。
New-AzResourceGroupDeployment -ResourceGroupName "keyvaultresourcegroup" -TemplateFile kvpolicies.json
它会询问您的密钥保管库名称,提供它后您将成功将访问策略添加到密钥保管库。
输出:
参考:
Create an Azure key vault and a vault access policy by using ARM template | Microsoft Docs