CODEWITHSUNDEEP
azure-powershellazure-keyvaultapplicationid
EZR
EZR

Reputation: 73

List all the Key Vaults the Application ID has been granted access to via PowerShell?

Running the below code, I can get all the Application IDs granted access to a particular Key Vault.

$KVName = 'My-Key-Vault-Name'
$KV = Get-AzKeyVault -VaultName $KVName
$accessPolicies = $KV.AccessPolicies
$accessPolicies

Result

Tenant ID                                  : my-tenant-id
Object ID                                  : my-object-id
Application ID                             : my-application-id
Display Name                               : some-fancy-name
Permissions to Keys                        : {Get, List}
Permissions to Secrets                     : {Get, List, Update, Create…}
Permissions to Certificates                : {Get, List, Update, Create…}
Permissions to (Key Vault Managed) Storage : {}

However, I am trying to get the list of all Key Vaults a particular Application ID have been granted access to. Is this achievable via PowerShell?

Any help/hint will be really helpful.

Upvotes: 0

Views: 215

Answers (1)

Sridevi
Sridevi

Reputation: 22352

Initially, fetch the Object ID of application from the response of your script:

$KVName = 'devikv'
$KV = Get-AzKeyVault -VaultName $KVName
$accessPolicies = $KV.AccessPolicies
$accessPolicies

Response:

enter image description here

To list all the Key Vaults the application has been granted access to by filtering based on Application Object ID, you can run below PowerShell script:

$AppObjId = 'e7ceed60-0947-467f-a33a-xxxxxxx'
$KeyVaults = Get-AzKeyVault

foreach ($KV in $KeyVaults) {
    $AccessPolicies = (Get-AzKeyVault -VaultName $KV.VaultName).AccessPolicies
    foreach ($Policy in $AccessPolicies) {
        if ($Policy.ObjectId -eq $AppObjId) {
            Write-Output "Application has access to $($KV.VaultName)" 
        }
    }
}

Response:

enter image description here

If you want to list all the Key Vaults the application has been granted access to by filtering based on Application ID, use below modified script:

$AppId = 'b4bbcad3-9c6c-441e-b585-xxxxxxx'
$KeyVaults = Get-AzKeyVault

foreach ($KV in $KeyVaults) {
    $AccessPolicies = (Get-AzKeyVault -VaultName $KV.VaultName).AccessPolicies
    foreach ($Policy in $AccessPolicies) {
        if ($Policy.ApplicationId -eq $AppId) {
            Write-Output "Application has access to $($KV.VaultName)" 
        }
    }
}

Upvotes: 0

Related Questions