#!/bin/bash # Grant Key Vault Access - For Admin to Run # This script grants Key Vault access to App Service Managed Identities # Run this script as a user with "User Access Administrator" or "Owner" role set -e # Configuration KEY_VAULT_NAME="zdl-cmdb-insight-prd-kv" RESOURCE_GROUP="zdl-cmdb-insight-prd-euwe-rg" BACKEND_APP_NAME="zdl-cmdb-insight-prd-backend-webapp" FRONTEND_APP_NAME="zdl-cmdb-insight-prd-frontend-webapp" echo "🔐 Granting Key Vault Access to App Services..." echo "" # Get Key Vault Resource ID echo "📋 Getting Key Vault Resource ID..." KV_ID=$(az keyvault show --name $KEY_VAULT_NAME --query id -o tsv) echo " Key Vault ID: $KV_ID" echo "" # Get Backend Principal ID echo "🔑 Getting Backend Principal ID..." BACKEND_PRINCIPAL_ID=$(az webapp identity show \ --name $BACKEND_APP_NAME \ --resource-group $RESOURCE_GROUP \ --query principalId -o tsv) if [ -z "$BACKEND_PRINCIPAL_ID" ]; then echo "❌ Failed to get Backend Principal ID. Is Managed Identity enabled?" exit 1 fi echo " Backend Principal ID: $BACKEND_PRINCIPAL_ID" echo "" # Get Frontend Principal ID echo "🔑 Getting Frontend Principal ID..." FRONTEND_PRINCIPAL_ID=$(az webapp identity show \ --name $FRONTEND_APP_NAME \ --resource-group $RESOURCE_GROUP \ --query principalId -o tsv) if [ -z "$FRONTEND_PRINCIPAL_ID" ]; then echo "⚠️ Warning: Could not get Frontend Principal ID. Skipping frontend." FRONTEND_PRINCIPAL_ID="" fi if [ -n "$FRONTEND_PRINCIPAL_ID" ]; then echo " Frontend Principal ID: $FRONTEND_PRINCIPAL_ID" echo "" fi # Grant Key Vault Secrets User role to Backend echo "🔓 Granting 'Key Vault Secrets User' role to Backend..." az role assignment create \ --assignee $BACKEND_PRINCIPAL_ID \ --role "Key Vault Secrets User" \ --scope $KV_ID \ --output none echo "✅ Backend access granted" echo "" # Grant Key Vault Secrets User role to Frontend (if available) if [ -n "$FRONTEND_PRINCIPAL_ID" ]; then echo "🔓 Granting 'Key Vault Secrets User' role to Frontend..." az role assignment create \ --assignee $FRONTEND_PRINCIPAL_ID \ --role "Key Vault Secrets User" \ --scope $KV_ID \ --output none echo "✅ Frontend access granted" echo "" fi echo "✅ Key Vault access configured successfully!" echo "" echo "📋 Summary:" echo " Key Vault: $KEY_VAULT_NAME" echo " Backend App: $BACKEND_APP_NAME" echo " Backend Principal ID: $BACKEND_PRINCIPAL_ID" if [ -n "$FRONTEND_PRINCIPAL_ID" ]; then echo " Frontend App: $FRONTEND_APP_NAME" echo " Frontend Principal ID: $FRONTEND_PRINCIPAL_ID" fi echo ""