Skip to content

Supported "all" as an option when setting key vault access policies #13524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 26, 2020
Merged

Supported "all" as an option when setting key vault access policies #13524

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8001b89
Supported "all" as an option when setting key vault access policies
isra-fel Nov 17, 2020
9edf09f
minor fix in docs
isra-fel Nov 17, 2020
bc9afb4
fix test
isra-fel Nov 25, 2020
ba38ca5
Merge branch 'master' into keyvault-permission
isra-fel Nov 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions src/KeyVault/KeyVault.Test/ScenarioTests/AccessPolicyTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
using Microsoft.WindowsAzure.Commands.ScenarioTest;
using Xunit;

namespace Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests
{
public class AccessPolicyTests : KeyVaultTestRunner
{
public AccessPolicyTests(Xunit.Abstractions.ITestOutputHelper output) : base(output)
{
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestSetAllAccessPolicies()
{
TestRunner.RunTestScript("Test-SetAllAccessPolicies");
}
}
}
24 changes: 24 additions & 0 deletions src/KeyVault/KeyVault.Test/ScenarioTests/AccessPolicyTests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
function Test-SetAllAccessPolicies()
{
$rg = Get-ResourceGroupName
$vaultName = GetAssetName
$rgLocation = Get-Location "Microsoft.Resources" "resourceGroups" "West US"
$vaultLocation = Get-Location "Microsoft.KeyVault" "vault" "West US"
$objectId = "d7e17135-d5a7-4b8b-89e5-252aa15b7e01"
New-AzResourceGroup -Name $rg -Location $rgLocation

try {
New-AzKeyVault -ResourceGroupName $rg -VaultName $vaultName -Location $vaultLocation
Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectId $objectId -PermissionsToCertificates all -PermissionsToKeys all -PermissionsToSecrets all -PermissionsToStorage all -BypassObjectIdValidation
$vault = Get-AzKeyVault -ResourceGroupName $rg -VaultName $vaultName
$accessPolicy = $vault.AccessPolicies | ? {$_.ObjectId -eq $objectId}
Assert-NotNull $accessPolicy
Assert-AreEqual "all" $accessPolicy.PermissionsToCertificatesStr
Assert-AreEqual "all" $accessPolicy.PermissionsToKeysStr
Assert-AreEqual "all" $accessPolicy.PermissionsToSecretsStr
Assert-AreEqual "all" $accessPolicy.PermissionsToStorageStr
}
finally {
Remove-AzResourceGroup -Name $rg -Force
}
}
1,438 changes: 1,438 additions & 0 deletions ...zure.Commands.KeyVault.Test.ScenarioTests.AccessPolicyTests/TestSetAllAccessPolicies.json
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions src/KeyVault/KeyVault.sln
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ Global
{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.ActiveCfg = Release|Any CPU
{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.Build.0 = Release|Any CPU
{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.Build.0 = Release|Any CPU
{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.Build.0 = Debug|Any CPU
{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Release|Any CPU.ActiveCfg = Release|Any CPU
Expand Down
1 change: 1 addition & 0 deletions src/KeyVault/KeyVault/ChangeLog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
- Additional information about change #1
-->
## Upcoming Release
* Supported "all" as an option when setting key vault access policies
* Supported new version of SecretManagement module [#13366]
* Supported ByteArray, String, PSCredential and Hashtable for `SecretValue` in SecretManagementModule [#12190]

Expand Down
8 changes: 4 additions & 4 deletions src/KeyVault/KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
[Parameter(Mandatory = false,
ParameterSetName = ResourceIdByEmailAddress,
HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")]
[ValidateSet("decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore", "recover", "purge")]
[ValidateSet("all", "decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore", "recover", "purge")]
public string[] PermissionsToKeys { get; set; }

/// <summary>
Expand Down Expand Up @@ -323,7 +323,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
[Parameter(Mandatory = false,
ParameterSetName = ResourceIdByEmailAddress,
HelpMessage = "Specifies secret operation permissions to grant to a user or service principal.")]
[ValidateSet("get", "list", "set", "delete", "backup", "restore", "recover", "purge")]
[ValidateSet("all", "get", "list", "set", "delete", "backup", "restore", "recover", "purge")]
public string[] PermissionsToSecrets { get; set; }

/// <summary>
Expand Down Expand Up @@ -365,7 +365,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
[Parameter(Mandatory = false,
ParameterSetName = ResourceIdByEmailAddress,
HelpMessage = "Specifies certificate operation permissions to grant to a user or service principal.")]
[ValidateSet("get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "backup", "restore")]
[ValidateSet("all", "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "backup", "restore")]
public string[] PermissionsToCertificates { get; set; }

/// <summary>
Expand Down Expand Up @@ -407,7 +407,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
[Parameter(Mandatory = false,
ParameterSetName = ResourceIdByEmailAddress,
HelpMessage = "Specifies managed storage account and sas definition operation permissions to grant to a user or service principal.")]
[ValidateSet("get", "list", "delete", "set", "update", "regeneratekey", "getsas", "listsas", "deletesas", "setsas", "recover", "backup", "restore", "purge")]
[ValidateSet("all", "get", "list", "delete", "set", "update", "regeneratekey", "getsas", "listsas", "deletesas", "setsas", "recover", "backup", "restore", "purge")]
public string[] PermissionsToStorage { get; set; }

[Parameter(Mandatory = false,
Expand Down
6 changes: 3 additions & 3 deletions src/KeyVault/KeyVault/help/Get-AzKeyVault.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Accept wildcard characters: True
```

### -Tag
Expand Down Expand Up @@ -271,7 +271,7 @@ Required: False
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Accept wildcard characters: True
```

```yaml
Expand All @@ -283,7 +283,7 @@ Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Accept wildcard characters: True
```

### CommonParameters
Expand Down
4 changes: 2 additions & 2 deletions src/KeyVault/KeyVault/help/Get-AzKeyVaultCertificate.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

```yaml
Expand All @@ -330,7 +330,7 @@ Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

### -ResourceId
Expand Down
2 changes: 1 addition & 1 deletion src/KeyVault/KeyVault/help/Get-AzKeyVaultCertificateIssuer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

### -ResourceId
Expand Down
4 changes: 2 additions & 2 deletions src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,7 +333,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

```yaml
Expand All @@ -345,7 +345,7 @@ Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

### -OutFile
Expand Down
2 changes: 1 addition & 1 deletion src/KeyVault/KeyVault/help/Get-AzKeyVaultManagedStorageAccount.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

### -DefaultProfile
Expand Down
4 changes: 2 additions & 2 deletions src/KeyVault/KeyVault/help/Get-AzKeyVaultSecret.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

```yaml
Expand All @@ -365,7 +365,7 @@ Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

### -ResourceId
Expand Down
4 changes: 2 additions & 2 deletions src/KeyVault/KeyVault/help/Get-AzManagedHsm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ Required: False
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Accept wildcard characters: True
```

### -ResourceGroupName
Expand All @@ -114,7 +114,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Accept wildcard characters: True
```

### -Tag
Expand Down
4 changes: 2 additions & 2 deletions src/KeyVault/KeyVault/help/Get-AzManagedHsmKey.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

```yaml
Expand All @@ -365,7 +365,7 @@ Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Accept wildcard characters: True
```

### -OutFile
Expand Down
27 changes: 23 additions & 4 deletions src/KeyVault/KeyVault/help/Set-AzKeyVaultAccessPolicy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,7 @@ Accept wildcard characters: False
### -PermissionsToCertificates
Specifies an array of certificate permissions to grant to a user or service principal.
The acceptable values for this parameter:
- All
- Get
- List
- Delete
Expand All @@ -461,7 +462,7 @@ The acceptable values for this parameter:
Type: System.String[]
Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
Aliases:
Accepted values: get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
Accepted values: all, get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore

Required: False
Position: Named
Expand All @@ -473,6 +474,7 @@ Accept wildcard characters: False
### -PermissionsToKeys
Specifies an array of key operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- All
- Decrypt
- Encrypt
- UnwrapKey
Expand All @@ -494,7 +496,7 @@ The acceptable values for this parameter:
Type: System.String[]
Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
Aliases:
Accepted values: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, restore, recover, purge
Accepted values: all, decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, restore, recover, purge

Required: False
Position: Named
Expand All @@ -506,6 +508,7 @@ Accept wildcard characters: False
### -PermissionsToSecrets
Specifies an array of secret operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- All
- Get
- List
- Set
Expand All @@ -519,7 +522,7 @@ The acceptable values for this parameter:
Type: System.String[]
Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
Aliases:
Accepted values: get, list, set, delete, backup, restore, recover, purge
Accepted values: all, get, list, set, delete, backup, restore, recover, purge

Required: False
Position: Named
Expand All @@ -530,12 +533,28 @@ Accept wildcard characters: False

### -PermissionsToStorage
Specifies managed storage account and SaS-definition operation permissions to grant to a user or service principal.
The acceptable values for this parameter:
- all
- get
- list
- delete
- set
- update
- regeneratekey
- getsas
- listsas
- deletesas
- setsas
- recover
- backup
- restore
- purge

```yaml
Type: System.String[]
Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
Aliases:
Accepted values: get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
Accepted values: all, get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge

Required: False
Position: Named
Expand Down