Scripts/Get-AzKeyVaultAccessPolicies.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
param(
   [Parameter(Mandatory = $true)][string] $KeyVaultName = $(throw "Name of the Azure Key Vault is required"),
   [Parameter(Mandatory = $false)][string] $ResourceGroupName = ""
)

$keyVault = $null
if($resourceGroupName -eq '') {
    Write-Verbose "Looking for the Azure Key Vault with name '$keyVaultName'..."
    $keyVault = Get-AzKeyVault -VaultName $keyVaultName
} else {
    Write-Verbose "Looking for the Azure Key Vault with name '$keyVaultName' in resource group '$resourceGroupName'.."
    $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName
}

$armAccessPolicies = @()
if($keyVault) {    
    Write-Verbose "Found Azure Key Vault '$keyVaultName'"
    
    $keyVaultAccessPolicies = $keyVault.accessPolicies
    if($keyVaultAccessPolicies)
    {    
       foreach($keyVaultAccessPolicy in $keyVaultAccessPolicies) {
          $armAccessPolicy = [pscustomobject]@{
             tenantId = $keyVaultAccessPolicy.TenantId
             objectId = $keyVaultAccessPolicy.ObjectId
          }

          $armAccessPolicyPermissions = [pscustomobject]@{
             keys =  $keyVaultAccessPolicy.PermissionsToKeys
             secrets = $keyVaultAccessPolicy.PermissionsToSecrets
             certificates = $keyVaultAccessPolicy.PermissionsToCertificates
             storage = $keyVaultAccessPolicy.PermissionsToStorage
          }

          Write-Verbose "Azure Key Vault access policy successfully retrieved for TenantId: $($armAccessPolicy.tenantId) and ObjectId: $($armAccessPolicy.ObjectId)"
          Write-Verbose ($armAccessPolicyPermissions | Format-list | Out-String) 

          $armAccessPolicy | Add-Member -MemberType NoteProperty -Name permissions -Value $armAccessPolicyPermissions
          $armAccessPolicies += $armAccessPolicy
       }       
       
        Write-Host "Successfully retrieved Azure Key Vault access policies"
    }    
} else {
    Write-Warning "Azure Key Vault '$keyVaultName' could not be found, please check if the provided vault name and/or resource group name is correct."
}

$armAccessPoliciesParameter = [pscustomobject]@{
    list = $armAccessPolicies
}

return $armAccessPoliciesParameter