Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUERY] How to add new access policy to key vault without deleting all existing access policies? #44531

Closed
trygvelo opened this issue Jun 12, 2024 · 4 comments
Closed

[QUERY] How to add new access policy to key vault without deleting all existing access policies? #44531

trygvelo opened this issue Jun 12, 2024 · 4 comments
Assignees
@cxznmhdcxz
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@trygvelo
Copy link

Library name and version

Azure.ResourceManager.KeyVault 1.2.0

Query/Question

As the title says, how do I add new access policy to key vault without deleting all existing access policies in the vault?

According to this bug report, it should be possible, but I just cannot figure out how: #32872

This sample doesn't give any answers either. https://github.com/Azure-Samples/azure-samples-net-management/blob/master/samples/keyvault/manage-key-vault/Program.cs. If I modify the sample to update access policy for a new principal id, the existing access policy is deleted

Environment

No response
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 12, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@trygvelo
Copy link
Author

trygvelo commented Jun 14, 2024
edited
Loading

I tried the following code in an attempt to iterate over all existing access policies to add those to the update patch:

var patch = new KeyVaultPatch();
patch.Properties = new KeyVaultPatchProperties();
var existingPolicies = keyVault.GetPolicyAssignments();
foreach (var policy in existingPolicies)
    patch.Properties.AccessPolicies.Add(new KeyVaultAccessPolicy(tenantId, policy.Data.ManagedIdentity.PrincipalId.Value.ToString(), permissions));
patch.Properties.AccessPolicies.Add(new KeyVaultAccessPolicy(tenantId, principalId1, permissions));
var UpdateKeyVault = await keyVault.UpdateAsync(patch);

But existingPolicies does not contain any elements :(

@cxznmhdcxz
Copy link
Member

Hi @trygvelo you could try this code. Let's say there's already an instance keyVault :

IdentityAccessPermissions accessPermissions = new IdentityAccessPermissions()
{
    Secrets =
    {
        IdentityAccessSecretPermission.All
    }
};
KeyVaultAccessPolicy accessPolicy = new KeyVaultAccessPolicy(tenantId, ObjectId, accessPermissions);
var accessPolicies = new List<KeyVaultAccessPolicy>() { accessPolicy };
var updateProperties = new KeyVaultAccessPolicyProperties(accessPolicies);
var updateParameters = new KeyVaultAccessPolicyParameters(updateProperties); 
keyVault.UpdateAccessPolicy(AccessPolicyUpdateKind.Add, updateParameters);

The ObjectId could be either a user account or a managed identity.

@cxznmhdcxz cxznmhdcxz assigned cxznmhdcxz and unassigned HarveyLink Jul 2, 2024
@trygvelo
Copy link
Author

trygvelo commented Jul 2, 2024
edited
Loading

Hi @cxznmhdcxz

Thanks, that works exactly as expected!

Hi @trygvelo you could try this code. Let's say there's already an instance keyVault :

IdentityAccessPermissions accessPermissions = new IdentityAccessPermissions()
{
    Secrets =
    {
        IdentityAccessSecretPermission.All
    }
};
KeyVaultAccessPolicy accessPolicy = new KeyVaultAccessPolicy(tenantId, ObjectId, accessPermissions);
var accessPolicies = new List<KeyVaultAccessPolicy>() { accessPolicy };
var updateProperties = new KeyVaultAccessPolicyProperties(accessPolicies);
var updateParameters = new KeyVaultAccessPolicyParameters(updateProperties); 
keyVault.UpdateAccessPolicy(AccessPolicyUpdateKind.Add, updateParameters);

The ObjectId could be either a user account or a managed identity.

Note to self: Make sure to "refresh" the keyVault instance after adding access policy to see the added access policy in the keyVault instance.

@github-actions github-actions bot locked and limited conversation to collaborators Oct 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cxznmhdcxz cxznmhdcxz

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@trygvelo @ArthurMa1978 @HarveyLink @cxznmhdcxz