Set-AzureKeyVaultAccessPolicy
Set-AzureKeyVaultAccessPolicy
Grants or modifies existing permissions for a user or application to perform operations with the Azure Key Vault.
Syntax
Parameter Set: ByObjectId
Set-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -ObjectId <Guid> [-EnabledForDeployment] [-PassThru] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | all}[] ] [-PermissionsToSecrets {get | list | set | delete | all}[] ] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Parameter Set: ByServicePrincipalName
Set-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -ServicePrincipalName <String> [-EnabledForDeployment] [-PassThru] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | all}[] ] [-PermissionsToSecrets {get | list | set | delete | all}[] ] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Parameter Set: ByUserPrincipalName
Set-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -UserPrincipalName <String> [-EnabledForDeployment] [-PassThru] [-PermissionsToKeys {decrypt | encrypt | unwrapKey | wrapKey | verify | sign | get | list | update | create | import | delete | backup | restore | all}[] ] [-PermissionsToSecrets {get | list | set | delete | all}[] ] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Parameter Set: None
Set-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -EnabledForDeployment [-PassThru] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Detailed Description
The Set-AzureKeyVaultAccessPolicy cmdlet grants or modifies existing permissions for a user or application to perform the specified operations with the Azure Key Vault. It does not modify the permissions that other users or applications have on the key vault.
The following directories must all be the same Azure directory:
-- The Azure directory in which the key vault owner's user account resides.
-- The default directory of the Azure subscription in which the key vault resides.
-- The Azure directory in which the application service principal is registered.
Examples of scenarios when these conditions are not met and this cmdlet will not work are:
-- Authorizing a user from a different organization to manage your key vault. Each organization has its own directory.
-- Your Azure account has multiple directories. If you register an application in a directory other than the default directory, you will not be able to authorize that application to use your key vaults. The application must be in the default directory.
Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.
Parameters
-EnabledForDeployment
Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-ObjectId<Guid>
Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-PassThru
Indicates that this cmdlet returns the updated key vault object. By default, this cmdlet does not generate any output.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-PermissionsToKeys<System.String[]>
Specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are:
-- Decrypt
-- Encrypt
-- UnwrapKey
-- WrapKey
-- Verify
-- Sign
-- Get
-- List
-- Update
-- Create
-- Import
-- Delete
-- Backup
-- Restore
-- All
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-PermissionsToSecrets<System.String[]>
Specifies an array of secret operation permissions to grant to a user or service principal. The acceptable values for this parameter are:
-- Get
-- List
-- Set
-- Delete
-- All
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-Profile<Microsoft.Azure.Common.Authentication.Models.AzureProfile>
Specifies the Azure profile from which this cmdlet reads. If you do not specify a profile, this cmdlet reads from the local default profile.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ResourceGroupName<System.String>
Specifies the name of the resource group associated with the key vault whose access policy is being modified. If not specified, this cmdlet searches for the key vault in the current subscription.
Aliases |
none |
Required? |
false |
Position? |
2 |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-ServicePrincipalName<String>
Specifies the service principal name of the application to which to grant permissions. Specify the application ID, also known as client ID, registered for the application in Azure Active Directory. The application with the service principal name that this parameter specifies must be registered in the Azure directory that contains your current subscription or the subscription specified by the SubscriptionName parameter, if that parameter is specified.
Aliases |
SPN |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-UserPrincipalName<String>
Specifies the user principal name of the user to whom to grant permissions. This user principal name must exist in the directory associated with the current subscription or in the subscription specified by the SubscriptionName parameter, if that parameter is specified.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-VaultName<String>
Specifies the name of a key vault. This cmdlet modifies the access policy for the key vault that this parameter specifies.
Aliases |
none |
Required? |
true |
Position? |
1 |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
- String, Guid, String[], Switch
Outputs
The output type is the type of the objects that the cmdlet emits.
- Microsoft.Azure.Commands.KeyVault.Models.PSVault
Examples
Example 1: Grant permissions to a user for a key vault and modify the permissions
The first command grants permissions for a user in your Azure Active Directory, PattiFuller@contoso.com, to perform operations on keys and secrets with a key vault named Contoso03Vault.
The second command modifies the permissions that were granted to PattiFuller@contoso.com in the first command, to now allow getting secrets in addition to setting and deleting them. The permissions to key operations remain unchanged after this command. The PassThru parameter results in the updated key vault object being returned by the cmdlet.
The final command further modifies the existing permissions for PattiFuller@contoso.com to remove all permissions to key operations. The permissions to secret operations remain unchanged after this command. The PassThru parameter results in the updated key vault object being returned by the cmdlet.
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com" -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com" -PermissionsToSecrets set,delete,get -PassThru
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com" -PermissionsToKeys @() -PassThru
Example 2: Grant permissions for an application service principal to read and write secrets
This command grants permissions for an application for a vault named Contoso03Vault. The ServicePrincipalName parameter specifies the application. The application must be registered in your Azure Active Directory. The value of the ServicePrincipalName parameter must be either the service principal name of the application or the application ID GUID. This example specifies the service principal name https://payroll.contoso.com, and the command grants the application permissions to read and write secrets.
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -ServicePrincipalName "https://payroll.contoso.com" -PermissionsToSecrets "get,set"
Example 3: Grant permissions for an application using its object ID
This command grants the application permissions to read and write secrets. This example specifies the application using the object ID of the service principal of the application.
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets "get,set"
Example 4: Enable secrets to be retrieved from a vault by the Microsoft.Compute resource provider
This command grants the permissions for secrets to be retrieved from the Contoso03Vault vault by the Microsoft.Compute resource provider.
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" –ResourceGroupName "Group14" -EnabledForDeployment