Cmdlets

Choose a cmdlet from the list on the left or search for a specific cmdlet. Choose a cmdlet from the list or search for a specific cmdlet.
About Help  Providers
 

Set-AzureKeyVaultAccessPolicy

Set-AzureKeyVaultAccessPolicy

microsoft.azure.commands.keyvault.dll

Synopsis

Grants or modifies existing permissions for a user or application to perform operations with the Azure Key Vault.

Syntax

Set-AzureKeyVaultAccessPolicy [-VaultName] [-ResourceGroupName] [-EnabledForDeployment] [-PassThru] [-PermissionsToKeys] [-PermissionsToSecrets] [-Profile] [-ObjectId] [<CommonParameters>]

Set-AzureKeyVaultAccessPolicy [-VaultName] [-ResourceGroupName] [-EnabledForDeployment] [-PassThru] [-PermissionsToKeys] [-PermissionsToSecrets] [-Profile] [-ServicePrincipalName] [<CommonParameters>]

Set-AzureKeyVaultAccessPolicy [-VaultName] [-ResourceGroupName] [-EnabledForDeployment] [-PassThru] [-PermissionsToKeys] [-PermissionsToSecrets] [-Profile] [-UserPrincipalName] [<CommonParameters>]

Set-AzureKeyVaultAccessPolicy [-VaultName] [-ResourceGroupName] [-PassThru] [-Profile] [-EnabledForDeployment] [<CommonParameters>]

Detailed Description

The Set-AzureKeyVaultAccessPolicy cmdlet grants or modifies existing permissions for a user or application to perform the specified operations with the Azure Key Vault. It does not modify the permissions that other users or applications have on the key vault.

The following directories must all be the same Azure directory: -- The Azure directory in which the key vault owner's user account resides. -- The default directory of the Azure subscription in which the key vault resides. -- The Azure directory in which the application service principal is registered.

Examples of scenarios when these conditions are not met and this cmdlet will not work are: -- Authorizing a user from a different organization to manage your key vault. Each organization has its own directory. -- Your Azure account has multiple directories. If you register an application in a directory other than the default directory, you will not be able to authorize that application to use your key vaults. The application must be in the default directory.

Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.

Parameters

-EnabledForDeployment <SwitchParameter>

Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

Aliases

none

Required?

false

Position

named

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-ObjectId <Guid>

Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.

Aliases

none

Required?

true

Position

named

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-PassThru <SwitchParameter>

Indicates that this cmdlet returns the updated key vault object. By default, this cmdlet does not generate any output.

Aliases

none

Required?

false

Position

named

Default value

none

Accept pipeline input?

false

Accept wildcard characters?

false

-PermissionsToKeys <System.String[]>

Specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are: -- Decrypt -- Encrypt -- UnwrapKey -- WrapKey -- Verify -- Sign -- Get -- List -- Update -- Create -- Import -- Delete -- Backup -- Restore -- All

Aliases

none

Required?

false

Position

named

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-PermissionsToSecrets <System.String[]>

Specifies an array of secret operation permissions to grant to a user or service principal. The acceptable values for this parameter are: -- Get -- List -- Set -- Delete -- All

Aliases

none

Required?

false

Position

named

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile>

Specifies the Azure profile from which this cmdlet reads. If you do not specify a profile, this cmdlet reads from the local default profile.

Aliases

none

Required?

false

Position

named

Default value

none

Accept pipeline input?

false

Accept wildcard characters?

false

-ResourceGroupName <System.String>

Specifies the name of the resource group associated with the key vault whose access policy is being modified. If not specified, this cmdlet searches for the key vault in the current subscription.

Aliases

none

Required?

false

Position

2

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-ServicePrincipalName <String>

Specifies the service principal name of the application to which to grant permissions. Specify the application ID, also known as client ID, registered for the application in Azure Active Directory. The application with the service principal name that this parameter specifies must be registered in the Azure directory that contains your current subscription or the subscription specified by the SubscriptionName parameter, if that parameter is specified.

Aliases

SPN

Required?

true

Position

named

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-UserPrincipalName <String>

Specifies the user principal name of the user to whom to grant permissions. This user principal name must exist in the directory associated with the current subscription or in the subscription specified by the SubscriptionName parameter, if that parameter is specified.

Aliases

none

Required?

true

Position

named

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

-VaultName <String>

Specifies the name of a key vault. This cmdlet modifies the access policy for the key vault that this parameter specifies.

Aliases

none

Required?

true

Position

1

Default value

none

Accept pipeline input?

true(ByPropertyName)

Accept wildcard characters?

false

Input Type

String, Guid, String[], Switch

Return Type

Microsoft.Azure.Commands.KeyVault.Models.PSVault

Notes

None

Examples

Example 1: Grant permissions to a user for a key vault and modify the permissions

The first command grants permissions for a user in your Azure Active Directory, PattiFuller@contoso.com, to perform operations on keys and secrets with a key vault named Contoso03Vault.

The second command modifies the permissions that were granted to PattiFuller@contoso.com in the first command, to now allow getting secrets in addition to setting and deleting them. The permissions to key operations remain unchanged after this command. The PassThru parameter results in the updated key vault object being returned by the cmdlet.

The final command further modifies the existing permissions for PattiFuller@contoso.com to remove all permissions to key operations. The permissions to secret operations remain unchanged after this command. The PassThru parameter results in the updated key vault object being returned by the cmdlet.

PS C:\>Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com" -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com" -PermissionsToSecrets set,delete,get -PassThru
PS C:\> Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com" -PermissionsToKeys @() -PassThru

Example 2: Grant permissions for an application service principal to read and write secrets

This command grants permissions for an application for a vault named Contoso03Vault. The ServicePrincipalName parameter specifies the application. The application must be registered in your Azure Active Directory. The value of the ServicePrincipalName parameter must be either the service principal name of the application or the application ID GUID. This example specifies the service principal name http://payroll.contoso.com, and the command grants the application permissions to read and write secrets.

PS C:\>Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -ServicePrincipalName "http://payroll.contoso.com" -PermissionsToSecrets "get,set"

Example 3: Grant permissions for an application using its object ID

This command grants the application permissions to read and write secrets. This example specifies the application using the object ID of the service principal of the application.

PS C:\>Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets "get,set"

Example 4: Enable secrets to be retrieved from a vault by the Microsoft.Compute resource provider

This command grants the permissions for secrets to be retrieved from the Contoso03Vault vault by the Microsoft.Compute resource provider.

PS C:\>Set-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" –ResourceGroupName "Group14" -EnabledForDeployment

Online Version
Remove-AzureKeyVaultAccessPolicy