Extend-AutomationRunAsAccountRoleAssignmentToKeyVault

1.0.1

Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1

                                
<#PSScriptInfo

.VERSION 1.0.1

.GUID 211599f3-ffaa-45fd-addd-6cce7da91f80

.AUTHOR Automation Team

.COMPANYNAME

.COPYRIGHT

.TAGS AzureAutomation

.LICENSEURI

.PROJECTURI

.ICONURI

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

.PRIVATEDATA

#>

<# 

.DESCRIPTION 

    This script will add the Reader role to an Automation RunAs Account for the specified Key Vault. 

    If your RunAs account is configured with a custom role assignment, it may not have access to any of your Key Vault 

    instances. This script will add a "Reader" role assignment to your RunAs account for the specified Key Vault. This

    will allow runbooks that authenticate with this RunAs account to read secrets and keys from the specified Key Vault.

#> 

<#

.SYNOPSIS

    This script will add the Reader role to an Automation RunAs Account for the specified Key Vault.

.PREREQUISITES

    To run this script, your Powershell console has to be connected to Azure. Use Login-AzureRmAccount to log in.

    To run this script, you will need write permissions on role definitions and role assignments for all provided subscriptions.

.USAGE

    .\Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 `

            -SubscriptionId <SubscriptionId> `

            -AutomationAccountResourceGroupName <AutomationAccountResourceGroupName> `

            -AutomationAccountName <AutomationAccountName> `

            -KeyVaultResourceGroupName <KeyVaultResourceGroupName> `

            -KeyVaultName <KeyVaultName>

.NOTES

    LASTEDIT: June 26, 2019

#>

Param (

    [Parameter(Mandatory = $true)]

    [String] $SubscriptionId,

    [Parameter(Mandatory = $true)]

    [String] $AutomationAccountResourceGroupName,

    [Parameter(Mandatory = $true)]

    [String] $AutomationAccountName,

    [Parameter(Mandatory = $true)]

    [String] $KeyVaultResourceGroupName,

    [Parameter(Mandatory = $true)]

    [String] $KeyVaultName,

    [Parameter(Mandatory = $false)]

    [bool] $UseAzModules = $false

)

function GetRunAsAccountAADApplicationId([string] $resourceGroupName, [string] $automationAccountName) 

{  

    $connectionAssetName = "AzureRunAsConnection"

    $runasAccountConnection = Get-AzureRmAutomationConnection `

        -Name $connectionAssetName `

        -ResourceGroupName $resourceGroupName `

        -AutomationAccountName $automationAccountName `

        -ErrorAction SilentlyContinue

    $runasAccountAADAplicationId = $null

    if ($runasAccountConnection) 

    {

        [GUID]$runasAccountAADAplicationId=$runasAccountConnection.FieldDefinitionValues['ApplicationId']

        Write-Host ("A RunAs account is present, and its ApplicationId is: " + $runasAccountAADAplicationId)

    }

    return $runasAccountAADAplicationId;

}

# Main code starting here ...

if ($UseAzModules) 

{

    Enable-AzureRmAlias -Scope CurrentUser

}

Select-AzureRmSubscription -SubscriptionId $SubscriptionId

$runasAccountAADAplicationId = GetRunAsAccountAADApplicationId `

                                -resourceGroupName $AutomationAccountResourceGroupName `

                                -automationAccountName $AutomationAccountName

if ($runasAccountAADAplicationId) 

{ 

    # This script will look for and assign the 'Reader' role to your RunAs account. You can change 

    # the script to look for and assign a different role if needed, such as 'Contributor'.

    $customRoleDefinitionName = "Reader"

    $getRoleAssignment = Get-AzureRMRoleAssignment `

                                -ServicePrincipalName $runasAccountAADAplicationId `

                                -RoleDefinitionName $customRoleDefinitionName `

                                -ResourceGroupName $KeyVaultResourceGroupName `

                                -ResourceType "Microsoft.KeyVault/vaults" `

                                -ResourceName $KeyVaultName `

                                -ErrorAction Stop

    if (!$getRoleAssignment)

    {

        $newRoleAssignment = New-AzureRmRoleAssignment `

                            -RoleDefinitionName $customRoleDefinitionName `

                            -ApplicationId $runasAccountAADAplicationId `

                            -ResourceGroupName $KeyVaultResourceGroupName `

                            -ResourceType "Microsoft.KeyVault/vaults" `

                            -ResourceName $KeyVaultName `

                            -ErrorAction Stop

        Write-Host "Created new role assignment: "

        $newRoleAssignment

    }

    else

    {

        Write-Host "Role assignment already exists: "

        $getRoleAssignment

    }

    # This script only assigns get and list permissions to keys and secrets. You can change this to

    # add other permissions. 

    # See https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy

    Set-AzureRmKeyVaultAccessPolicy -ServicePrincipalName $runasAccountAADAplicationId `

        -ResourceGroupName $KeyVaultResourceGroupName `

        �VaultName $KeyVaultName `

        -PermissionsToKeys get,list `

        �PermissionsToSecrets get,list

}