-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaz_update_sp. yml
54 lines (47 loc) · 1.99 KB
/
az_update_sp. yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/usr/bin/env ansible-playbook
#
# Example adding a SP to a Keyvault for a given RG
##############################################################
- name: "Service Principal Access for a AZ Keyvault example."
delegate_to: "localhost"
run_once: true
become: false
tasks:
- name: "SP Access for AZ KV"
register: __result
when: >
( __az_sp_keyvault_access.stdout | from_json | sort | join )
!= ( az_sp_policy_secret_permissions | sort | join )
block:
- name: "Get application id of the SP"
command: >
az account show --query "user.name" --output "tsv"
register: _az_app_id
changed_when: false
- name: "Get object id for the enterprise application service principal"
command: >
az rest --method "get"
--uri "https://graph.microsoft.com/v1.0/servicePrincipals"
--url-parameters "$filter=appId eq '{{ __az_app_id.stdout }}'" "$select=id"
--query "value[].id" --output "tsv"
register: ___az_object_id
changed_when: false
- name: "Lookup the keyvault access for the service principle"
command: >
az keyvault
show
--name "{{ az_vault_name }}"
--resource-group "{{ az_resource_group }}"
--query
'properties.accessPolicies[?objectId == `{{ __az_object_id.stdout }}`].permissions.secrets[]'
--output json
register: __az_sp_keyvault_access
changed_when: false
- name: "Limit the keyvault access for SP"
command: >
az keyvault set-policy
--name "{{ az_vault_name }}" --resource-group "{{ az_resource_group }}"
--object-id "{{ __az_object_id.stdout }}"
--secret-permissions "{{ az_sp_policy_secret_permissions | join(' ') }}"
...