This sample demonstrates how to create, get, and delete role assignments in Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.
To create a new KeyVaultAccessControlClient to create, get, or delete role assignments, you need the endpoint to an Azure Key Vault and credentials.
You can use the DefaultAzureCredential to try a number of common authentication methods optimized for both running as a service and development.
In the sample below, you can set keyVaultUrl based on an environment variable, configuration setting, or any way that works for your application.
KeyVaultAccessControlClient client = new KeyVaultAccessControlClient(new Uri(keyVaultUrl), new DefaultAzureCredential());In order to assign a role to a service principal, we'll have to know which role definitions are available. Let's get all of them.
List<KeyVaultRoleDefinition> roleDefinitions = new List<KeyVaultRoleDefinition>();
await foreach (KeyVaultRoleDefinition definition in client.GetRoleDefinitionsAsync(KeyVaultRoleScope.Global))
{
roleDefinitions.Add(definition);
}Before assigning any new roles, let's get all the current role assignments.
List<KeyVaultRoleAssignment> roleAssignments = new List<KeyVaultRoleAssignment>();
await foreach (KeyVaultRoleAssignment assignment in client.GetRoleAssignmentsAsync(KeyVaultRoleScope.Global))
{
roleAssignments.Add(assignment);
}Now let's assign a role to a service principal. To do this we'll need a role definition Id and a service principal object Id.
A role definition Id can be obtained from the Id property of one of the role definitions returned from GetRoleAssignments.
See the README for links and instructions on how to generate a new service principal and obtain it's object Id. You can also get the object Id for your currently signed in account by running the following Azure CLI command.
az ad signed-in-user show --query objectId
string definitionIdToAssign = "<roleDefinitionId>";
string servicePrincipalObjectId = "<objectId>";
KeyVaultRoleAssignmentProperties properties = new KeyVaultRoleAssignmentProperties(definitionIdToAssign, servicePrincipalObjectId);
RoleAssignment createdAssignment = await client.CreateRoleAssignmentAsync(RoleAssignmentScope.Global, properties);To get an existing role assignment, we'll need the Name property from an existing assignment. Let's use the createdAssignment from the previous example.
KeyVaultRoleAssignment fetchedAssignment = await client.GetRoleAssignmentAsync(KeyVaultRoleScope.Global, createdAssignment.Name);To remove a role assignment from a service principal, the role assignment must be deleted. Let's delete the createdAssignment from the previous example.
KeyVaultRoleAssignment deletedAssignment = await client.DeleteRoleAssignmentAsync(KeyVaultRoleScope.Global, createdAssignment.Name);