将备份管理服务添加到Azure Powershell中的Keyvault

Question

In order to backup encrypted virtual machines in azure, Backup Management Service requires permissions in the key vault. There is a template for this in the portal that allows you to add the permissions required however I cannot find either documentation to do this in powershell nor can I find the object id for the backup management service to use Set-AzureRmKeyVaultAccessPolicy.

I dont want to have to manually add this access policy into every key vault I create for my encrypted virtual machines.

Editing for further clarity:

I know how to set access policy with powershell and I do so for my aad service principal for writing the keys to key vault at encryption time. However for Recovery Services Vault to work, the Azure backup service also needs access to the keys, I cannot find out how to add this Azure backup service to the key vault using Powershell, I can only see how to do it in the portal which is: Add access policy > Configure from template > Azure Backup. This adds the Service Principal "Backup Management Service" to the key vault. I cannot find this service principal in my subscription nor does Powershell accept this as a valid name.

Answer 1

I know this post is 2 months old, but I found a solution. run this to get the object ID of that "built in" service principal

$spobj = Get-AzureRmADServicePrincipal -SearchString "Backup Management Service"

then this should work against your keyvault.

Set-AzureRmKeyVaultAccessPolicy -ObjectId $spobj.Id -VaultName $kvname -PermissionsToKeys get,list,backup -PermissionsToSecrets get,list,backup