Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1


<#PSScriptInfo
 
.VERSION 1.0.1
 
.GUID 211599f3-ffaa-45fd-addd-6cce7da91f80
 
.AUTHOR Automation Team
 
.COMPANYNAME
 
.COPYRIGHT
 
.TAGS AzureAutomation
 
.LICENSEURI
 
.PROJECTURI
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
 
 
.PRIVATEDATA
 
#>


<#
 
.DESCRIPTION
    This script will add the Reader role to an Automation RunAs Account for the specified Key Vault.
 
    If your RunAs account is configured with a custom role assignment, it may not have access to any of your Key Vault
    instances. This script will add a "Reader" role assignment to your RunAs account for the specified Key Vault. This
    will allow runbooks that authenticate with this RunAs account to read secrets and keys from the specified Key Vault.
 
#>
 

<#
.SYNOPSIS
    This script will add the Reader role to an Automation RunAs Account for the specified Key Vault.
 
.PREREQUISITES
    To run this script, your Powershell console has to be connected to Azure. Use Login-AzureRmAccount to log in.
    To run this script, you will need write permissions on role definitions and role assignments for all provided subscriptions.
    
.USAGE
    .\Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 `
            -SubscriptionId <SubscriptionId> `
            -AutomationAccountResourceGroupName <AutomationAccountResourceGroupName> `
            -AutomationAccountName <AutomationAccountName> `
            -KeyVaultResourceGroupName <KeyVaultResourceGroupName> `
            -KeyVaultName <KeyVaultName>
             
.NOTES
    LASTEDIT: June 26, 2019
#>


Param (
    [Parameter(Mandatory = $true)]
    [String] $SubscriptionId,

    [Parameter(Mandatory = $true)]
    [String] $AutomationAccountResourceGroupName,

    [Parameter(Mandatory = $true)]
    [String] $AutomationAccountName,
    
    [Parameter(Mandatory = $true)]
    [String] $KeyVaultResourceGroupName,

    [Parameter(Mandatory = $true)]
    [String] $KeyVaultName,
    
    [Parameter(Mandatory = $false)]
    [bool] $UseAzModules = $false
)

function GetRunAsAccountAADApplicationId([string] $resourceGroupName, [string] $automationAccountName) 
{  
    $connectionAssetName = "AzureRunAsConnection"

    $runasAccountConnection = Get-AzureRmAutomationConnection `
        -Name $connectionAssetName `
        -ResourceGroupName $resourceGroupName `
        -AutomationAccountName $automationAccountName `
        -ErrorAction SilentlyContinue

    $runasAccountAADAplicationId = $null
    if ($runasAccountConnection) 
    {
        [GUID]$runasAccountAADAplicationId=$runasAccountConnection.FieldDefinitionValues['ApplicationId']
        Write-Host ("A RunAs account is present, and its ApplicationId is: " + $runasAccountAADAplicationId)
    }

    return $runasAccountAADAplicationId;
}

# Main code starting here ...
if ($UseAzModules) 
{
    Enable-AzureRmAlias -Scope CurrentUser
}

Select-AzureRmSubscription -SubscriptionId $SubscriptionId

$runasAccountAADAplicationId = GetRunAsAccountAADApplicationId `
                                -resourceGroupName $AutomationAccountResourceGroupName `
                                -automationAccountName $AutomationAccountName
if ($runasAccountAADAplicationId) 
{ 
    # This script will look for and assign the 'Reader' role to your RunAs account. You can change
    # the script to look for and assign a different role if needed, such as 'Contributor'.
    $customRoleDefinitionName = "Reader"

    $getRoleAssignment = Get-AzureRMRoleAssignment `
                                -ServicePrincipalName $runasAccountAADAplicationId `
                                -RoleDefinitionName $customRoleDefinitionName `
                                -ResourceGroupName $KeyVaultResourceGroupName `
                                -ResourceType "Microsoft.KeyVault/vaults" `
                                -ResourceName $KeyVaultName `
                                -ErrorAction Stop

    if (!$getRoleAssignment)
    {
        $newRoleAssignment = New-AzureRmRoleAssignment `
                            -RoleDefinitionName $customRoleDefinitionName `
                            -ApplicationId $runasAccountAADAplicationId `
                            -ResourceGroupName $KeyVaultResourceGroupName `
                            -ResourceType "Microsoft.KeyVault/vaults" `
                            -ResourceName $KeyVaultName `
                            -ErrorAction Stop
        Write-Host "Created new role assignment: "
        $newRoleAssignment
    }
    else
    {
        Write-Host "Role assignment already exists: "
        $getRoleAssignment
    }

    # This script only assigns get and list permissions to keys and secrets. You can change this to
    # add other permissions.
    # See https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy
    Set-AzureRmKeyVaultAccessPolicy -ServicePrincipalName $runasAccountAADAplicationId `
        -ResourceGroupName $KeyVaultResourceGroupName `
        ï¿½VaultName $KeyVaultName `
        -PermissionsToKeys get,list `
        ï¿½PermissionsToSecrets get,list

}