admin管理员组

文章数量:1405731

We have an azure pipeline that adds get permissions to a keyvault using powershell.

Set-AzKeyVaultAccessPolicy -ResourceGroupName $MyResourceGroupName -VaultName $MyKeyVaultName -ObjectId $MyObjectId -PermissionsToSecrets get

It runs several times for several objects giving them permissions.

Today on one of the runs I noticed that one object was missing permissions in the keyvault. Looking in the activity log I noticed that instead of adding a new chunk in the policy for the new object, it had suddenly changed the objectid of another existing object in the policy. This caused one object to lose its permissions.

Is this an azure bug or an expected behaviour? Do I need to be explicit about something when using Set-AzKeyVaultAccessPolicy to ensure that I keep the existing policy for the other objects?

Note that this only happened for one of the executions, all the other objects got their permissions added normally.

We have an azure pipeline that adds get permissions to a keyvault using powershell.

Set-AzKeyVaultAccessPolicy -ResourceGroupName $MyResourceGroupName -VaultName $MyKeyVaultName -ObjectId $MyObjectId -PermissionsToSecrets get

It runs several times for several objects giving them permissions.

Today on one of the runs I noticed that one object was missing permissions in the keyvault. Looking in the activity log I noticed that instead of adding a new chunk in the policy for the new object, it had suddenly changed the objectid of another existing object in the policy. This caused one object to lose its permissions.

Is this an azure bug or an expected behaviour? Do I need to be explicit about something when using Set-AzKeyVaultAccessPolicy to ensure that I keep the existing policy for the other objects?

Note that this only happened for one of the executions, all the other objects got their permissions added normally.

  • azure
  • azure-powershell
  • azure-keyvault
Share asked Mar 7 at 13:09 BubBub 1041 silver badge7 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 0

Few of my observations:

Using -PassThru parameter:

$keyVault = Set-AzKeyVaultAccessPolicy -ResourceGroupName $MyResourceGroupName -VaultName $MyKeyVaultName -ObjectId $MyObjectId -PermissionsToSecrets get -PassThru

Kindly retrieve the existing policies first:

$keyVault = Get-AzKeyVault -ResourceGroupName $MyResourceGroupName -VaultName $MyKeyVaultName
$existingPolicies = $keyVault.AccessPolicies
$newPolicy = New-Object -TypeName Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultAccessPolicyEntry -ArgumentList $MyObjectId, @('get')
$updatedPolicies = $existingPolicies + $newPolicy
Set-AzKeyVaultAccessPolicy -ResourceGroupName $MyResourceGroupName -VaultName $MyKeyVaultName -AccessPolicies $updatedPolicies

Updating the module:

Update-Module -Name Az

Alternatively, you still can use CLI:

az keyvault set-policy

Hope it helps

本文标签: azureSetAzKeyVaultAccessPolicy overwrote another objects policy instead of addingStack Overflow

版权声明:本文标题:azure - Set-AzKeyVaultAccessPolicy overwrote another objects policy instead of adding - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744927506a2632691.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。