Skip to content

Instantly share code, notes, and snippets.

@deinarson

deinarson/AzCLI_PythonKeyVault.sh

Last active December 13, 2018 18:19
Show Gist options
  • Save deinarson/5bc34f104a5950412ecc22230fc27575 to your computer and use it in GitHub Desktop.
Save deinarson/5bc34f104a5950412ecc22230fc27575 to your computer and use it in GitHub Desktop.
Download ZIP
Azure's web portal is a punishment to use. This is me trying to not use it - but even then this does not work. I cant wait for microsoft to make thier examples work. If I can type this then I am sure they can find someone to place something like this in a doc.
Raw
AzCLI_PythonKeyVault.sh
#!/bin/bash
# This is meant to be use with a modified version of this
# https://github.com/Azure-Samples/app-service-msi-keyvault-python
API_KEYNAME=
API_TOKEN=
vault_name=
vault_rg=
vault_rg_location=
web_app_name=
export AZURE_CLIENT_ID=
export AZURE_CLIENT_SECRET=
export AZURE_CLIENT_SECRET_NAME=
export KEY_VAULT_URI=
export AZURE_TENANT_ID=$(az account show --query=tenantId | tr -d \" )
export AZURE_SUBSCRIPTION_ID=$(az account show --query=id| tr -d \" )
export KEY_VAULT_URI="https://${vault_name}.vault.azure.net"
# Create a RG to make it easy to clean up after ( using az group delete -n "${vault_rg}" )
az group create --name "${vault_rg}" --location "${vault_rg_location}"
az appservice plan create --name "${web_app_name}"-sp --resource-group "${vault_rg}" --sku B1 --is-linux
az webapp create --resource-group "${vault_rg}" --plan "${web_app_name}"-sp --name "${web_app_name}" --runtime "PYTHON|3.7" --deployment-local-git
az webapp identity assign --name "${web_app_name}" --resource-group "${vault_rg}"
# Create vault and secrets
az provider register -n Microsoft.KeyVault
az keyvault create --name "${vault_name}" --resource-group "${vault_rg}" --location "${vault_rg_location}"
az keyvault secret set --vault-name "${vault_name}" --name "${AZURE_CLIENT_SECRET}" --value "${AZURE_CLIENT_SECRET_NAME}"
az keyvault secret set --vault-name "${vault_name}" --name "${API_KEYNAME}" --value "${API_TOKEN}"
az keyvault secret list --vault-name "${vault_name}"
# give app acess to secret : create an sp rbac
az ad sp create-for-rbac -n "${web_app_name}" --password "${AZURE_CLIENT_SECRET}" --skip-assignment
# Get the sp appId
export AZURE_CLIENT_ID=$(az ad sp list | grep -v 'In a' | jq ".[] | select( .appDisplayName == \"${web_app_name}\" ) .appId" | tr -d \" )
# set key policy
az keyvault set-policy --name "${vault_name}" --spn "${AZURE_CLIENT_ID}" --key-permissions decrypt sign
az keyvault set-policy --name "${vault_name}" --spn "${AZURE_CLIENT_ID}" --secret-permissions get
# THIS ADDS ALL OF THE VARIAB
# We only really need KEY_VAULT_URI
for kv in "AZURE_CLIENT_ID=${AZURE_CLIENT_ID}" \
"AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}" \
"AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" \
"KEY_VAULT_URI=${KEY_VAULT_URI}" \
"AZURE_TENANT_ID=${AZURE_TENANT_ID}"
do
az webapp config appsettings set -g "${vault_rg}" -n "${web_app_name}" --settings $kv
done
echo CONFIRMING all worked
az webapp config appsettings list -g "${vault_rg}" -n "${web_app_name}"
# watch logs to see what is happening
az webapp log tail --name ${web_app_name} --resource-group ${vault_rg}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment