From 605771f2b0c2c3e002334913b78ff115a69b7c85 Mon Sep 17 00:00:00 2001 From: John Rampono Date: Thu, 19 Aug 2021 19:30:22 +0800 Subject: [PATCH] Added Key Vault Access Policy to allow ADF MSI to access Key Vault --- solution/Deployment/environments/development.json | 2 +- .../workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1 | 11 +++++++++++ .../workflows/Steps/CD_ConfigureKeyVault.ps1 | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/solution/Deployment/environments/development.json b/solution/Deployment/environments/development.json index 991b7da3..869d9785 100644 --- a/solution/Deployment/environments/development.json +++ b/solution/Deployment/environments/development.json @@ -8,7 +8,7 @@ "BuildAdsGoFastDatabase": true }, "CD": { - "EnableDeploy": false, + "EnableDeploy": true, "EnableConfigure": true, "ServicePrincipals": { "DeploymentSP": { diff --git a/solution/Deployment/workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1 b/solution/Deployment/workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1 index 3b7506b3..ec09007b 100644 --- a/solution/Deployment/workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1 +++ b/solution/Deployment/workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1 @@ -1,4 +1,5 @@ az config set extension.use_dynamic_install=yes_without_prompt +#Create MSIs if($env:AdsOpts_CD_Services_CoreFunctionApp_Enable -eq "True") { $id = $null @@ -19,6 +20,16 @@ if($env:AdsOpts_CD_Services_WebSite_Enable -eq "True") } } +#Get ADF MSI Id +$dfpid = ((az datafactory show --factory-name $env:AdsOpts_CD_Services_DataFactory_Name --resource-group $env:AdsOpts_CD_ResourceGroup_Name) | ConvertFrom-Json).identity.principalId +$dfoid = ((az ad sp show --id $dfpid) | ConvertFrom-Json).objectId +#Allow ADF to Read Key Vault +az keyvault set-policy --name $env:AdsOpts_CD_Services_KeyVault_Name --certificate-permissions get list --key-permissions get list --object-id $dfoid --resource-group $env:AdsOpts_CD_ResourceGroup_Name --secret-permissions get list --storage-permissions get --subscription $env:AdsOpts_CD_ResourceGroup_Subscription + + + + + #Give MSIs Required AD Privileges #Assign SQL Admin $cu = az ad signed-in-user show | ConvertFrom-Json diff --git a/solution/Deployment/workflows/Steps/CD_ConfigureKeyVault.ps1 b/solution/Deployment/workflows/Steps/CD_ConfigureKeyVault.ps1 index 8e47a919..1381e60c 100644 --- a/solution/Deployment/workflows/Steps/CD_ConfigureKeyVault.ps1 +++ b/solution/Deployment/workflows/Steps/CD_ConfigureKeyVault.ps1 @@ -15,6 +15,8 @@ if($env:AdsOpts_CD_Services_KeyVault_Enable -eq "True") Write-Host "Enabling Access to KeyVault and Adding Secrets" #Set KeyVault Policy to allow logged in user to add key az keyvault set-policy --name $env:AdsOpts_CD_Services_KeyVault_Name --certificate-permissions backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update --key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey --object-id $AADUserId --resource-group $env:AdsOpts_CD_ResourceGroup_Name --secret-permissions backup delete get list purge recover restore set --storage-permissions backup delete deletesas get getsas list listsas purge recover regeneratekey restore set setsas update --subscription $env:AdsOpts_CD_ResourceGroup_Subscription + #Set KeyVault Policy to allow MSI for ADF to Retrieve Key Vault Key + #az keyvault set-policy --name $env:AdsOpts_CD_Services_KeyVault_Name --certificate-permissions backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update --key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey --object-id $AADUserId --resource-group $env:AdsOpts_CD_ResourceGroup_Name --secret-permissions backup delete get list purge recover restore set --storage-permissions backup delete deletesas get getsas list listsas purge recover regeneratekey restore set setsas update --subscription $env:AdsOpts_CD_ResourceGroup_Subscription #Save Function Key to KeyVault az keyvault secret set --name "AdsGfCoreFunctionAppKey" --vault-name $env:AdsOpts_CD_Services_KeyVault_Name --disabled false --subscription $env:AdsOpts_CD_ResourceGroup_Subscription --value $functionkey --output none