It’s been a while that the ‘Switch AzureMode’ is deprecated in the Azure PowerShell and has left breaking changes in all the scripts that were using it. I had come across this mode switch first, when starting off with Azure Key Vault, as the then existing cmdlets depended on it. Now that it is deprecated we have updated versions of the PowerShell cmdlets to manage Azure Key Vault. This post revisits all the scripts used in the previous Key Vault posts and provides the updated scripts.

Most of the scripts have the only change of having an extra ‘Rm’ indicating that those were off the Resource Manager.

Creating a New Azure Key Vault
1
2
New-AzureRmResourceGroup -Name KeyVaultGroup -Location "East Asia"
New-AzureRmKeyVault -VaultName RahulKeyVault -ResourceGroupName KeyVaultGroup -Location "East Asia"

Creating a new key/secret remains the same

Creating a Key/Secret in Vault
1
2
3
4
5
6
# Key
Add-AzureKeyVaultKey -VaultName RahulKeyVault -Name NewKey -Destination Software

# Secret
$apiKey = ConvertTo-SecureString -String "ApiKey" -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName RahulKeyVault -Name "ApiKey" -SecretValue $apiKey
Getting existing Vault details
1
Get-AzureRmKeyVault -VaultName RahulKeyVault
Creating AD application with certificate authentication
1
2
3
4
5
6
7
8
9
10
$certificateFilePath = "C:\certificates\ADTestVaultApplication.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificate.Import($certificateFilePath)
$rawCertificateData = $certificate.GetRawCertData()
$credential = [System.Convert]::ToBase64String($rawCertificateData)
$startDate= [System.DateTime]::Now
$endDate = $startDate.AddYears(1)
$adApplication = New-AzureRmADApplication -DisplayName "RahulTestADApplication"
-HomePage  "http://www.rahulpnath.com" -IdentifierUris "http://www.rahulpnath.com"
-KeyValue  $credential -KeyType "AsymmetricX509Cert" -KeyUsage "Verify" -StartDate $startDate -EndDate $endDate
Associating the AD application with the key vault
1
2
3
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $adApplication.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName 'RahulKeyVault' -ObjectId  $servicePrincipal.Id -PermissionsToKeys all -PermissionsToSecrets all
$ServicePrincipal.ApplicationId #Outputs the ServicePrincipalName/AppPrincipalId 
User Role assignment
1
2
New-AzureRmRoleAssignment -Mail keyvaultuser@domain.onmicrosoft.com
  -RoleDefinitionName Reader -ResourceGroupName SharedGroup

Please drop a comment if I have missed any!

Comments