Advertisement
If anyone can help or give me a start I would greatly appreciate it. I apologize in advance for the confusion. Within Azure I am looking to convert our existing Key Vault Policies to Azure RBAC.<\/p>\n
The below script gets an inventory of key vaults in all subscriptions and exports them in a csv.<\/p>\n
$subs = Get-AzSubscription
\nforeach($sub in $subs){
\nSet-AzContext -Subscription $sub.Id -Tenant $sub.TenantId
\n$vaults = Get-AzKeyVault
\nforeach($vault in $vaults){
\n$policies = (Get-AzKeyVault -ResourceGroupName $vault.ResourceGroupName -VaultName $vault.VaultName).AccessPolicies
\nforeach($policy in $policies){
\n$obj = [PSCustomObject]@{
\nKeyVaultName = $vault.VaultName
\nResourceGroupName = $vault.ResourceGroupName
\nObjectID = $policy.ObjectID
\nPermissionsToCertificatesStr = $policy.PermissionsToCertificatesStr
\nPermissionsToKeysStr = $policy.PermissionsToKeysStr
\nPermissionsToSecretsStr = $policy.PermissionsToSecretsStr
\n}
\n$obj | Export-Csv -Path C:\\keyvaultinventory2.csv -Append -NoTypeInformation
\n}
\n}
\n}<\/p>\n
The update command below switches key vault from access policies to RBAC. However within RBAC nothing will be filled out.<\/p>\n
#Update-AzKeyVault<\/span> -VaultName $keyvault.VaultName -ResourceGroupName $keyvault.ResourceGroupName -EnableRbacAuthorization $true<\/p>\n The csv created from the script above will have the below headings.<\/p>\n I want to create a script that looks at the access each object id (from the imported csv) has within each keyvault (In all subscriptions) and then creates a new role for the object id, based on the previous access policy. So for example lets say one object ID has full access to a key vault. In the csv this looks like<\/p>\n ObjectID (test1234)<\/p>\n PermissionsToCertificatesStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n PermissionsToKeysStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n PermissionsToSecretsStr1 → Get, List, Set, Delete, Recover, Backup, Restore, Purge<\/p>\n So what I want to do is write a script that says if object id has a value of PermissionsToCertificatesStr & PermissionsToKeysStr & PermissionsToSecretsStr1 (values shown above) then create a role in Azure key vault rbac for the objectid that has key vault administrator access (the equivalent access in key vault rbac). See below → <\/p>\n if<\/p>\n Objectid has → <\/p>\n PermissionsToCertificatesStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n AND PermissionsToKeysStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n AND PermissionsToSecretsStr1 → Get, List, Set, Delete, Recover, Backup, Restore, Purge<\/p>\n then<\/p>\n New-AzRoleAssignment if<\/p>\n Objectid has this access (In key vault access policies)<\/p>\n PermissionsToCertificatesStr → Get, List<\/p>\n AND PermissionsToKeysStr → Get, List<\/p>\n AND PermissionsToSecretsStr1 → Get, List<\/p>\n then<\/p>\n New-AzRoleAssignment Sorry again if this makes little sense.<\/p>","upvoteCount":2,"answerCount":2,"datePublished":"2021-03-04T13:13:20.000Z","author":{"@type":"Person","name":"ivormcnamara2","url":"https://community.spiceworks.com/u/ivormcnamara2"},"suggestedAnswer":[{"@type":"Answer","text":" If anyone can help or give me a start I would greatly appreciate it. I apologize in advance for the confusion. Within Azure I am looking to convert our existing Key Vault Policies to Azure RBAC.<\/p>\n The below script gets an inventory of key vaults in all subscriptions and exports them in a csv.<\/p>\n $subs = Get-AzSubscription The update command below switches key vault from access policies to RBAC. However within RBAC nothing will be filled out.<\/p>\n #Update-AzKeyVault<\/span> -VaultName $keyvault.VaultName -ResourceGroupName $keyvault.ResourceGroupName -EnableRbacAuthorization $true<\/p>\n The csv created from the script above will have the below headings.<\/p>\n I want to create a script that looks at the access each object id (from the imported csv) has within each keyvault (In all subscriptions) and then creates a new role for the object id, based on the previous access policy. So for example lets say one object ID has full access to a key vault. In the csv this looks like<\/p>\n ObjectID (test1234)<\/p>\n PermissionsToCertificatesStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n PermissionsToKeysStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n PermissionsToSecretsStr1 → Get, List, Set, Delete, Recover, Backup, Restore, Purge<\/p>\n So what I want to do is write a script that says if object id has a value of PermissionsToCertificatesStr & PermissionsToKeysStr & PermissionsToSecretsStr1 (values shown above) then create a role in Azure key vault rbac for the objectid that has key vault administrator access (the equivalent access in key vault rbac). See below → <\/p>\n if<\/p>\n Objectid has → <\/p>\n PermissionsToCertificatesStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n AND PermissionsToKeysStr → Get, List, Update, Create, Import, Delete, Recover, Backup, Restore<\/p>\n AND PermissionsToSecretsStr1 → Get, List, Set, Delete, Recover, Backup, Restore, Purge<\/p>\n then<\/p>\n New-AzRoleAssignment if<\/p>\n Objectid has this access (In key vault access policies)<\/p>\n PermissionsToCertificatesStr → Get, List<\/p>\n AND PermissionsToKeysStr → Get, List<\/p>\n AND PermissionsToSecretsStr1 → Get, List<\/p>\n then<\/p>\n New-AzRoleAssignment Sorry again if this makes little sense.<\/p>","upvoteCount":2,"datePublished":"2021-03-04T13:13:20.000Z","url":"https://community.spiceworks.com/t/convert-key-vault-policies-to-azure-rbac/792625/1","author":{"@type":"Person","name":"ivormcnamara2","url":"https://community.spiceworks.com/u/ivormcnamara2"}},{"@type":"Answer","text":" If you post code, please use the ‘Insert Code’ button. Please and thank you!<\/p>\n#Update-AzKeyVault -VaultName $keyvault.VaultName -ResourceGroupName $keyvault.ResourceGroupName -EnableRbacAuthorization $true\n<\/code><\/pre>\n$subs = Get-AzSubscription\nforeach($sub in $subs){\n Set-AzContext -Subscription $sub.Id -Tenant $sub.TenantId\n $vaults = Get-AzKeyVault\n foreach($vault in $vaults){\n $policies = (Get-AzKeyVault -ResourceGroupName $vault.ResourceGroupName -VaultName $vault.VaultName).AccessPolicies\n foreach($policy in $policies){\n $obj = [PSCustomObject]@{\n KeyVaultName = $vault.VaultName\n ResourceGroupName = $vault.ResourceGroupName\n ObjectID = $policy.ObjectID\n PermissionsToCertificatesStr = $policy.PermissionsToCertificatesStr\n PermissionsToKeysStr = $policy.PermissionsToKeysStr\n PermissionsToSecretsStr = $policy.PermissionsToSecretsStr\n }\n $obj | Export-Csv -Path C:\\keyvaultinventory2.csv -Append -NoTypeInformation\n }\n }\n}\n<\/code><\/pre>\n\n\n\n
\n ObjectID<\/th>\n PermissionsToCertificatesStr<\/th>\n PermissionsToKeysStr<\/th>\n PermissionsToSecretsStr<\/th>\n<\/tr>\n<\/thead>\n<\/table>\n<\/div>
\n
\n-ObjectId $policy.ObjectID
\n-ResourceGroupName $vault.ResourceGroupName
\n-RoleDefinitionName “Key Vault Administrator”<\/p>\nNew-AzRoleAssignment\n-ObjectId $policy.ObjectID\n-ResourceGroupName $vault.ResourceGroupName\n-RoleDefinitionName \"Key Vault Administrator\"\n<\/code><\/pre>\n
\n
\n-ObjectId $policy.ObjectID
\n-ResourceGroupName $vault.ResourceGroupName
\n-RoleDefinitionName \" Key Vault Reader \"<\/p>\nNew-AzRoleAssignment\n-ObjectId $policy.ObjectID\n-ResourceGroupName $vault.ResourceGroupName\n-RoleDefinitionName \"\n\nKey Vault Reader\n\n\"\n<\/code><\/pre>\n
\nforeach($sub in $subs){
\nSet-AzContext -Subscription $sub.Id -Tenant $sub.TenantId
\n$vaults = Get-AzKeyVault
\nforeach($vault in $vaults){
\n$policies = (Get-AzKeyVault -ResourceGroupName $vault.ResourceGroupName -VaultName $vault.VaultName).AccessPolicies
\nforeach($policy in $policies){
\n$obj = [PSCustomObject]@{
\nKeyVaultName = $vault.VaultName
\nResourceGroupName = $vault.ResourceGroupName
\nObjectID = $policy.ObjectID
\nPermissionsToCertificatesStr = $policy.PermissionsToCertificatesStr
\nPermissionsToKeysStr = $policy.PermissionsToKeysStr
\nPermissionsToSecretsStr = $policy.PermissionsToSecretsStr
\n}
\n$obj | Export-Csv -Path C:\\keyvaultinventory2.csv -Append -NoTypeInformation
\n}
\n}
\n}<\/p>\n#Update-AzKeyVault -VaultName $keyvault.VaultName -ResourceGroupName $keyvault.ResourceGroupName -EnableRbacAuthorization $true\n<\/code><\/pre>\n$subs = Get-AzSubscription\nforeach($sub in $subs){\n Set-AzContext -Subscription $sub.Id -Tenant $sub.TenantId\n $vaults = Get-AzKeyVault\n foreach($vault in $vaults){\n $policies = (Get-AzKeyVault -ResourceGroupName $vault.ResourceGroupName -VaultName $vault.VaultName).AccessPolicies\n foreach($policy in $policies){\n $obj = [PSCustomObject]@{\n KeyVaultName = $vault.VaultName\n ResourceGroupName = $vault.ResourceGroupName\n ObjectID = $policy.ObjectID\n PermissionsToCertificatesStr = $policy.PermissionsToCertificatesStr\n PermissionsToKeysStr = $policy.PermissionsToKeysStr\n PermissionsToSecretsStr = $policy.PermissionsToSecretsStr\n }\n $obj | Export-Csv -Path C:\\keyvaultinventory2.csv -Append -NoTypeInformation\n }\n }\n}\n<\/code><\/pre>\n\n\n\n
\n ObjectID<\/th>\n PermissionsToCertificatesStr<\/th>\n PermissionsToKeysStr<\/th>\n PermissionsToSecretsStr<\/th>\n<\/tr>\n<\/thead>\n<\/table>\n<\/div>
\n
\n-ObjectId $policy.ObjectID
\n-ResourceGroupName $vault.ResourceGroupName
\n-RoleDefinitionName “Key Vault Administrator”<\/p>\nNew-AzRoleAssignment\n-ObjectId $policy.ObjectID\n-ResourceGroupName $vault.ResourceGroupName\n-RoleDefinitionName \"Key Vault Administrator\"\n<\/code><\/pre>\n
\n
\n-ObjectId $policy.ObjectID
\n-ResourceGroupName $vault.ResourceGroupName
\n-RoleDefinitionName \" Key Vault Reader \"<\/p>\nNew-AzRoleAssignment\n-ObjectId $policy.ObjectID\n-ResourceGroupName $vault.ResourceGroupName\n-RoleDefinitionName \"\n\nKey Vault Reader\n\n\"\n<\/code><\/pre>\n