This sample demonstrates how to create, get, and delete role assignments in Azure Managed HSM. To get started, you'll need a URI to an Azure Managed HSM. See the README for links and instructions.
To create a new KeyVaultAccessControlClient
to create, get, or delete role assignments, you need the endpoint to an Azure Managed HSM and credentials.
You can use the DefaultAzureCredential to try a number of common authentication methods optimized for both running as a service and development.
In the sample below, you can set managedHsmUrl
based on an environment variable, configuration setting, or any way that works for your application.
KeyVaultAccessControlClient client = new KeyVaultAccessControlClient(new Uri(managedHsmUrl), new DefaultAzureCredential());
In order to assign a role to a service principal, we'll have to know which role definitions are available. Let's get all of them.
List<KeyVaultRoleDefinition> roleDefinitions = client.GetRoleDefinitions(KeyVaultRoleScope.Global).ToList();
Before assigning any new roles, let's get all the current role assignments.
List<KeyVaultRoleAssignment> roleAssignments = client.GetRoleAssignments(KeyVaultRoleScope.Global).ToList();
Now let's assign a role to a service principal. To do this we'll need a role definition Id and a service principal object Id.
A role definition Id can be obtained from the Id
property of one of the role definitions returned from GetRoleAssignments
.
See the README for links and instructions on how to generate a new service principal and obtain it's object Id. You can also get the object Id for your currently signed in account by running the following Azure CLI command.
az ad signed-in-user show --query objectId
string definitionIdToAssign = "<roleDefinitionId>";
string servicePrincipalObjectId = "<objectId>";
KeyVaultRoleAssignment createdAssignment = client.CreateRoleAssignment(KeyVaultRoleScope.Global, definitionIdToAssign, servicePrincipalObjectId);
To get an existing role assignment, we'll need the Name
property from an existing assignment. Let's use the createdAssignment
from the previous example.
KeyVaultRoleAssignment fetchedAssignment = client.GetRoleAssignment(KeyVaultRoleScope.Global, createdAssignment.Name);
To remove a role assignment from a service principal, the role assignment must be deleted. Let's delete the createdAssignment
from the previous example.
client.DeleteRoleAssignment(KeyVaultRoleScope.Global, createdAssignment.Name);
You can also create custom role definitions with custom permissions:
CreateOrUpdateRoleDefinitionOptions options = new CreateOrUpdateRoleDefinitionOptions(KeyVaultRoleScope.Global)
{
RoleName = "Managed HSM Data Decryptor",
Description = "Can only decrypt data using the private key stored in Managed HSM",
Permissions =
{
new KeyVaultPermission()
{
DataActions =
{
KeyVaultDataAction.DecryptHsmKey
}
}
}
};
KeyVaultRoleDefinition createdDefinition = client.CreateOrUpdateRoleDefinition(options);
To get a role definition, you'll need to know the globally unique ID (GUID) instead of the name like with role assignments:
Guid roleDefinitionId = new Guid(createdDefinition.Name);
KeyVaultRoleDefinition fetchedDefinition = client.GetRoleDefinition(KeyVaultRoleScope.Global, roleDefinitionId);
To delete a role definition, you'll need to know the globally unique ID (GUID) instead of the name like with role assignments:
client.DeleteRoleDefinition(KeyVaultRoleScope.Global, roleDefinitionId);