Azure/ Azure Kubernetes Cluster/ MS SQL Server / Azure /Azure DevOps and Terraform: Manage storage account keys with Key Vault and the Azure CLI

$myResourceGroup="rg-fhpl-use-qa"

$location="eastus"

$storagename = "stousefhplqa"

$container = "mybackupcontainer"

$ADE_KV_NAME = "keyvault-common-fhpl-qa"

$nameofsecret = "secnamefhplqa"

$upnname = "XXXXX.onmicrosoft.com" # put your valid upn name here

$subsid = "9239f519-XXXX-4e92-XXXX-c84d53XX3714"

# Create a resource group.

az group create --location $location --name $myResourceGroup

# Create a Storage Account

az storage account create --name $storagename --resource-group $myResourceGroup --location $location --sku Standard_LRS --kind=StorageV2

# Create a storage container

az storage container create --account-name $storagename --name $container

az keyvault create --name $ADE_KV_NAME --resource-group $myResourceGroup --location $location --sku premium

echo "- Key vault: $ADE_KV_NAME"

az role assignment create --role "Storage Account Key Operator Service Role" --assignee 'https://vault.azure.net' --scope "/subscriptions/$subsid/resourceGroups/$myResourceGroup/providers/Microsoft.Storage/storageAccounts/$storagename"

az keyvault set-policy --name $ADE_KV_NAME --upn $upnname --storage-permissions get list delete set update regeneratekey getsas listsas deletesas setsas recover backup restore purge

# Give your user principal access to all storage account permissions, on your Key Vault instance

az keyvault storage add --vault-name $ADE_KV_NAME -n $storagename --active-key-name key1 --auto-regenerate-key --regeneration-period P1D --resource-id "/subscriptions/$subsid/resourceGroups/$myResourceGroup/providers/Microsoft.Storage/storageAccounts/$storagename"

$pkey = az storage account keys list -g $myResourceGroup -n $storagename --query [0].value -o tsv

$sastoken = az storage account generate-sas --expiry '2022-12-31' --permissions cdlruwap --resource-types sco --services bfqt --https-only --account-name $storagename --account-key (az storage account keys list -g $myResourceGroup -n $storagename --query [0].value -o tsv)

$sastoken

az keyvault storage sas-definition create --vault-name $ADE_KV_NAME --account-name $storagename -n $nameofsecret --validity-period P1D --sas-type account --template-uri $sastoken

az keyvault storage sas-definition show --id "https://$ADE_KV_NAME.vault.azure.net/storage/$storagename/sas/$nameofsecret"

az keyvault secret show --id "https://$ADE_KV_NAME.vault.azure.net/secrets/$storagename-$nameofsecret"

Azure/ Azure Kubernetes Cluster/ MS SQL Server / Azure /Azure DevOps and Terraform

About Me

Manage storage account keys with Key Vault and the Azure CLI

1 comment: