Key vault
Use Azure service principals with Azure PowerShell | Microsoft Learn
Automated tools that use Azure services should always have restricted permissions.
Instead of having applications sign in as a fully privileged user, Azure offers service principals.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
# Create a service principal
$sp = New-AzADServicePrincipal -DisplayName ServicePrincipalName
Get-AzAdServicePrincipal -objectId Id
#The returned object contains the PasswordCredentials.SecretText property containing the generated password. Make sure that you store this value somewhere secure to authenticate with the service principal.
$sp.PasswordCredentials.SecretText
The-generated-secret
# The object returned from New-AzADServicePrincipal contains the Id and DisplayName members, either of which can be used for sign in with the service principal.
$sp.Id
The-spn-id
$sp.DisplayName
ServicePrincipalName
# To get the active tenant when the service principal was created, run the following command immediately after service principal creation:
(Get-AzContext).Tenant.Id
# Get ServicePrincipalName
Get-AzAdServicePrincipal -ObjectId Id
# Get all
Get-AzAdServicePrincipal
# If you forget the credentials for a service principal, use New-AzADSpCredential to add a new credential with a random password.
Remove-AzADSpCredential -DisplayName ServicePrincipalName
$newCredential = New-AzADSpCredential -ServicePrincipalName ServicePrincipalName
# Remove ServicePrincipalName
Remove-AzADServicePrincipal -ObjectId Id
# Verify that it is removed
Get-AzAdServicePrincipal -ObjectId Id
Then you can go to IMA and add the SPN to the key vault
Sign in with Azure PowerShell | Microsoft Learn
In the same session you can now sign is as that user or SPN
Or reconnect as SPN
# if you jumped out of the session
# get all
Get-AzAdServicePrincipal
# get by id
$sp = Get-AzAdServicePrincipal -ObjectId Id
# verify user
$sp.DisplayName
$pscredential = Get-Credential -UserName $sp.AppId
# provide password
# tenant id
$tenantId = "TenantId"
# connect
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId
Created a new key vault and chose RBAC added the SPN as Key Vault Secrets officer and ran the same commands above
# secret
PS /home/espen> $secretvalue = ConvertTo-SecureString "Vikingswasnothere78-" -AsPlainText -Force
# add it to key vault
PS /home/espen> $secret = Set-AzKeyVaultSecret -VaultName YourVaultName -Name "ExamplePassword" -SecretValue $secretvalue
Get secret
# get secret
$secret = Get-AzKeyVaultSecret -VaultName YourVaultName -Name "ExamplePassword" -AsPlainText
write-host $secret
I am owner, but not able to see the secret. (since we are using RBAC)
You must be a user with data actions also
Based off the error message and in order to see your Secrets, Keys, or Certificates, you’ll have to assign the appropriate built-in RBAC for Key Vault role to gain access to data plane operations. When it comes to the Contributor role, you do have full access to manage all resources (with a few exceptions) at the management plane (Azure RBAC). However, when it comes to accessing the Azure Key Vault, this requires a user to also have data plane permissions (Key Vault access policy or Azure RBAC for Key Vault), for more info – Access model overview.
And then we can see it with my user
To add a secret as me since we are using RBAC, I need a new role, the same as the SPN Key Vault Secrets Officer.
Now get that with SPN, RECONNECT AS spn and get the manuallinput
Note:
At the first the key vault had access configuration vault access policy so when adding a secret it gave error (Created a new key vault and chose RBAC view above)
# secret
PS /home/espen> $secretvalue = ConvertTo-SecureString "Vikingswasnothere78-" -AsPlainText -Force
# add it to key vault
PS /home/espen> $secret = Set-AzKeyVaultSecret -VaultName YourVaultName -Name "ExamplePassword" -SecretValue $secretvalue
Error
https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal