Private/New-CustomAzKeyVault.ps1
|
function Global:New-CustomAzKeyVault { [CmdletBinding()] param( [Parameter(Mandatory = $true)] [string] $ResourceGroupName, [Parameter(Mandatory = $true)] [string] $ResourceLocation, [Parameter(Mandatory = $true)] [string] $KeyVaultName, [Parameter(Mandatory = $false)] [string] $ObjectID, $ValueTable ) process { try { Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault" } catch { throw "Error registering resource provider." } Write-CustomHost -Message "Checking if KeyVault $KeyVaultName already exists..." $keyVault = Get-AzKeyVault -ResourceGroupName $ResourceGroupName -VaultName $KeyVaultName -ErrorAction SilentlyContinue if (-not($keyVault)) { Write-CustomHost -Message "Creating KeyVault $KeyVaultName ..." $keyVault = New-AzKeyVault -ResourceGroupName $ResourceGroupName -Location $ResourceLocation -Name $KeyVaultName -EnabledForDiskEncryption -EnabledForDeployment -EnabledForTemplateDeployment # This one here is necessary, if you either use a Guest Account in the subscription or a Non-Work-Account (like your privat MSDN-Account); then you'll need to specfiy the ObjectID of your User (use Get-AzADUser for this) if ($ObjectID){ Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -BypassObjectIdValidation -ObjectId $ObjectID -PermissionsToKeys decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, restore, recover, purge -PermissionsToSecrets get, list, set, delete, backup, restore, recover, purge } Write-CustomHost -Message "Done." } if ($ValueTable) { foreach ($ValuePair in $ValueTable.GetEnumerator()) { Write-CustomHost -Message "Adding entry $($ValuePair.Key)" Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $ValuePair.Key -SecretValue (ConvertTo-SecureString -String $ValuePair.Value -AsPlainText -Force) | Out-Null } } $keyVault } } |