From de03e1a08c8afb4d80a8e09e46956352b1b1a93a Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Fri, 19 Nov 2021 11:37:09 -0800 Subject: [PATCH] [KeyVault] - Use RBAC for permissions --- sdk/keyvault/test-resources.json | 59 +++++++------------------------- 1 file changed, 13 insertions(+), 46 deletions(-) diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json index cf74623e79ec..90d2730188e2 100644 --- a/sdk/keyvault/test-resources.json +++ b/sdk/keyvault/test-resources.json @@ -82,6 +82,8 @@ "mgmtApiVersion": "2019-04-01", "blobContainerName": "hsmbackups", "primaryAccountName": "[concat(replace(parameters('baseName'), '-', ''), 'prim')]", + "kvAdminDefinitionId": "00482a5a-887f-4fb3-b363-3b7fe8e74483", + "kvAdminAssignmentName": "[guid(resourceGroup().id, variables('kvAdminDefinitionId'), parameters('testApplicationOid'))]", "encryption": { "services": { "blob": { @@ -117,59 +119,24 @@ "name": "[parameters('keyVaultSku')]" }, "tenantId": "[parameters('tenantId')]", - "accessPolicies": [ - { - "tenantId": "[parameters('tenantId')]", - "objectId": "[parameters('testApplicationOid')]", - "permissions": { - "keys": [ - "get", - "list", - "update", - "create", - "import", - "delete", - "recover", - "backup", - "restore", - "decrypt", - "encrypt", - "unwrapKey", - "wrapKey", - "verify", - "sign", - "purge", - "rotate" - ], - "secrets": ["get", "list", "set", "delete", "recover", "backup", "restore", "purge"], - "certificates": [ - "get", - "list", - "update", - "create", - "import", - "delete", - "recover", - "backup", - "restore", - "managecontacts", - "manageissuers", - "getissuers", - "listissuers", - "setissuers", - "deleteissuers", - "purge" - ] - } - } - ], "enabledForDeployment": false, "enabledForDiskEncryption": false, "enabledForTemplateDeployment": false, "enableSoftDelete": true, + "enableRbacAuthorization": true, "softDeleteRetentionInDays": 7 } }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[variables('kvAdminAssignmentName')]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', variables('kvAdminDefinitionId'))]", + "principalId": "[parameters('testApplicationOid')]", + "scope": "[resourceGroup().id]" + } + }, { "type": "Microsoft.KeyVault/managedHSMs", "apiVersion": "[variables('hsmApiVersion')]",