forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaad_sp.azcli
74 lines (66 loc) · 3.75 KB
/
aad_sp.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Create/retrieve SP ID and secret for a given purpose from AKV
# If it doesnt exist, it will create it
# Variables
keyvault_name=erjositoKeyvault
keyvault_rg=keyvaults # Only required if new AKV is to be created
keyvault_loc=westeurope # Only required if new AKV is to be created
purpose=aro
# Day zero: create Azure Key Vault if required
keyvault_rg_found=$(az keyvault list -o tsv --query "[?name=='$keyvault_name'].resourceGroup")
if [[ -n ${keyvault_rg_found} ]]
then
echo "AKV ${keyvault_name} found in resource group $keyvault_rg_found"
keyvault_rg="$keyvault_rg_found"
else
echo "Creating AKV ${keyvault_name} in RG ${keyvault_rg}..."
az group create -n $keyvault_rg -l $keyvault_loc -o none
az keyvault create -n $keyvault_name -g $keyvault_rg -l $keyvault_loc -o none
user_name=$(az account show --query 'user.name' -o tsv)
echo "Setting policies for user ${user_name}..."
az keyvault set-policy -n $keyvault_name -g $keyvault_rg --upn $user_name -o none \
--certificate-permissions backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update \
--key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey \
--secret-permissions backup delete get list purge recover restore set \
--storage-permissions backup delete deletesas get getsas list listsas purge recover regeneratekey restore set setsas update
fi
# Get SP details from AKV
keyvault_name=erjositoKeyvault
keyvault_appid_secret_name=$purpose-sp-appid
keyvault_password_secret_name=$purpose-sp-secret
sp_app_id=$(az keyvault secret show --vault-name $keyvault_name -n $keyvault_appid_secret_name --query 'value' -o tsv)
sp_app_secret=$(az keyvault secret show --vault-name $keyvault_name -n $keyvault_password_secret_name --query 'value' -o tsv)
# If a secret was found, verify whether SP has expired, and if so, renew it
if [[ -n "$sp_app_id" ]] || [[ -n "$sp_app_secret" ]]
then
sp_end_date=$(az ad app show --id $sp_app_id --query 'passwordCredentials[0].endDate' -o tsv)
sp_end_date=$(date --date="$sp_end_date" +%s)
now=$(date +%s)
if [[ $sp_end_date < $now ]]
then
echo "SP expired, extending one year"
new_password=$(az ad app credential reset --id $sp_app_id --years 1 --query password -o tsv)
az keyvault secret set --vault-name $keyvault_name --name $keyvault_password_secret_name --value $new_password -o none
sp_app_secret=$new_password
else
echo "SP not expired"
fi
fi
# If either is blank, create new SP with the required name
if [[ -z "$sp_app_id" ]] || [[ -z "$sp_app_secret" ]]
then
# Create new SP
sp_name=$purpose
sp_output=$(az ad sp create-for-rbac --name $sp_name --skip-assignment 2>/dev/null)
sp_app_id=$(echo $sp_output | jq -r '.appId')
sp_app_secret=$(echo $sp_output | jq -r '.password')
az keyvault secret set --vault-name $keyvault_name --name $keyvault_appid_secret_name --value $sp_app_id -o none
az keyvault secret set --vault-name $keyvault_name --name $keyvault_password_secret_name --value $sp_app_secret -o none
# Optionally, assign Azure RBAC roles (example a RG) or AKV policy (example certificate/secret get if the SP should be able to retrieve certs)
# rg_name=my-rg
# rg_id=$(az group show -n $rg_name --query id -o tsv)
# az role assignment create --scope $rg_id --assignee $sp_app_id --role Contributor
# az keyvault set-policy -n $keyvault_name --object-id $sp_app_id --certificate-permissions get --secret-permissions get
fi
# Try to login as service principal
tenant=$(az account show --query tenantId -o tsv)
az login --service-principal -u $sp_app_id -p $sp_app_secret --tenant $tenant