Create an Azure service principal with Azure PowerShell (SPN) key vault RBAC

Key vault

Use Azure service principals with Azure PowerShell | Microsoft Learn

Automated tools that use Azure services should always have restricted permissions.

Instead of having applications sign in as a fully privileged user, Azure offers service principals.

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.

This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.

For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

# Create a service principal
$sp = New-AzADServicePrincipal -DisplayName ServicePrincipalName

Get-AzAdServicePrincipal -objectId Id

#The returned object contains the PasswordCredentials.SecretText property containing the generated password. Make sure that you store this value somewhere secure to authenticate with the service principal.                      
$sp.PasswordCredentials.SecretText                    
The-generated-secret

# The object returned from New-AzADServicePrincipal contains the Id and DisplayName members, either of which can be used for sign in with the service principal.
$sp.Id                            
The-spn-id

$sp.DisplayName
ServicePrincipalName

# To get the active tenant when the service principal was created, run the following command immediately after service principal creation:
(Get-AzContext).Tenant.Id  

# Get ServicePrincipalName
Get-AzAdServicePrincipal -ObjectId Id
# Get all
Get-AzAdServicePrincipal

# If you forget the credentials for a service principal, use New-AzADSpCredential to add a new credential with a random password. 
Remove-AzADSpCredential -DisplayName ServicePrincipalName
$newCredential = New-AzADSpCredential -ServicePrincipalName ServicePrincipalName

# Remove ServicePrincipalName
Remove-AzADServicePrincipal  -ObjectId  Id                           

# Verify that it is removed
Get-AzAdServicePrincipal -ObjectId Id

Then you can go to IMA and add the SPN to the key vault

Sign in with Azure PowerShell | Microsoft Learn

In the same session you can now sign is as that user or SPN

Or reconnect as SPN

# if you jumped out of the session

# get all
Get-AzAdServicePrincipal

# get by id
$sp = Get-AzAdServicePrincipal -ObjectId Id

# verify user
$sp.DisplayName

$pscredential = Get-Credential -UserName $sp.AppId
# provide password

# tenant id
$tenantId = "TenantId"

# connect
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId

Created a new key vault and chose RBAC added the SPN as Key Vault Secrets officer and ran the same commands above

# secret
PS /home/espen> $secretvalue = ConvertTo-SecureString "Vikingswasnothere78-" -AsPlainText -Force

# add it to key vault
PS /home/espen> $secret = Set-AzKeyVaultSecret -VaultName YourVaultName  -Name "ExamplePassword" -SecretValue $secretvalue

Get secret

# get secret
$secret = Get-AzKeyVaultSecret -VaultName YourVaultName -Name "ExamplePassword" -AsPlainText

write-host $secret

I am owner, but not able to see the secret. (since we are using RBAC)

You must be a user with data actions also

Based off the error message and in order to see your Secrets, Keys, or Certificates, you’ll have to assign the appropriate built-in RBAC for Key Vault role to gain access to data plane operations. When it comes to the Contributor role, you do have full access to manage all resources (with a few exceptions) at the management plane (Azure RBAC). However, when it comes to accessing the Azure Key Vault, this requires a user to also have data plane permissions (Key Vault access policy or Azure RBAC for Key Vault), for more info – Access model overview.

Inspecting RBAC Azure Key Vault Secrets: “You are unauthorized to view these contents.” – Microsoft Q&A

And then we can see it with my user

To add a secret as me since we are using RBAC, I need a new role, the same as the SPN Key Vault Secrets Officer.

Now get that with SPN, RECONNECT AS spn and get the manuallinput

Note:

At the first the key vault had access configuration vault access policy so when adding a secret it gave error (Created a new key vault and chose RBAC view above)

# secret
PS /home/espen> $secretvalue = ConvertTo-SecureString "Vikingswasnothere78-" -AsPlainText -Force

# add it to key vault
PS /home/espen> $secret = Set-AzKeyVaultSecret -VaultName YourVaultName  -Name "ExamplePassword" -SecretValue $secretvalue

Error

https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

Scroll to Top