stackoom
  简体   繁体   中英

Azure storage account key updation using RM module

 原文  2019-08-08 17:13:03       azure/ powershell/ azure-storage-blobs/ azure-rm

Question

I am trying to setup a powershell code which would update the storage account credentials every once in a while and below is the script that I have come across and it works perfectly fine. 

function setupContext(){
    Add-AzureRmAccount
    Save-AzureRmContext -Path “path\to\json\file” 
}

#setupContext
Import-AzureRmContext -Path “path\to\json\file”
$subscriptionId='***********************************'
Select-AzureRMSubscription -SubscriptionId $subscriptionId -WarningAction SilentlyContinue
$resourceGroup="**************"
$storageAccountName="******************"
$BLOBKey= New-AzureRmStorageAccountKey -ResourceGroupName $resourceGroup -Name $storageAccountName -KeyName key2 
Write-Host "BLOB Key:"$BLOBKey.Keys[0]

The above code does the required work, however it requires us to login to the azure-rm account which basically defeats the idea of automating this process since I would need keep updating this generated profile.

Note: I am not allowed to use az module as of now since the environment in which I work has some .NET version limitations.

So if there any other solution which could overcome the azure rm login issue, please suggest.

2 answers

solution1
 0  2019-08-08 18:07:12

Use Azure Automation. This automatically sets up something called RunAs account. Which simply said is just Azure AD Service Principal .

Then assign this principal privileges on the storage account just like any other user and you are done.

And in the Automation Runbook do 

$connection = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzureRmAccount `
    -ServicePrincipal `
    -Tenant $connection.TenantID `
    -ApplicationID $connection.ApplicationID  `
    -CertificateThumbprint $connection.CertificateThumbprint

$AzureContext = Select-AzureRmSubscription -SubscriptionId $connection.SubscriptionID

... run rest of the code ...

If you want to run this from outside of Azure like on-prem server then set up manually service principal. Here is guide

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

And just log into this app from powershell instead of the user.

solution2
 0  2019-08-09 07:15:39

Looks you want to use a non-interactive way to do that automatically. To access the azure resource with a non-interactive way, your best option currently is to use the service principal(AD App).

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.

The other reply is for azure automation runbook, you could follow my steps to automate it in other places else.

1. Create an Azure Active Directory application and create a secret for the app, save the secret and get values for signing in .

2.Navigate to the storage account(or the subscription which the storage account located) in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal(AD App) with name and add it as a role(eg Owner / Contributor ) -> Save .

Note : To give the role, you need to use an account which is an Owner of the specific scope(storage account/subscription).

3.Then use the script as below, replace the specific properties with the values in step 1 . 

function setupContext(){
    $azureAplicationId ="<application id>"
    $azureTenantId= "<tenant id>"
    $azurePassword = ConvertTo-SecureString "<client secret>" -AsPlainText -Force
    $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
    Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal 
    Save-AzureRmContext -Path “path\to\json\file” 
}

#setupContext
Import-AzureRmContext -Path “path\to\json\file”
$subscriptionId='***********************************'
Select-AzureRMSubscription -SubscriptionId $subscriptionId -WarningAction SilentlyContinue
$resourceGroup="**************"
$storageAccountName="******************"
$BLOBKey= New-AzureRmStorageAccountKey -ResourceGroupName $resourceGroup -Name $storageAccountName -KeyName key2 
Write-Host "BLOB Key:"$BLOBKey.Keys[0]

Besides, if you want to learn more about the service principal, you could take a look at this link - Application and service principal objects in Azure Active Directory

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Connect to Azure Storage account using User assigned managed identiry in Automation Account (using Azure RM modules) How to set default storage Account for Azure RM Subscription How to fetch Azure RM storage account keys in Ansible? Retrieve Azure storage account key using Azure CLI Remove Azure Storage Account Key Refresh Azure Storage Account Key Periodically using C# SDK Azure: What are the Account Name and Access Key when using the Storage Emulator? Access Azure Data Lake Storage Gen2 using the account key Azure : Get classic storage account key using StorageManagementClient Is it possible to encrypt the file using key vault and store it in storage account using “Azure Storage Data Movement Library”
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM