# Key Vault Access Request - For Administrators

## 📋 Request Information

**Requested by:** adm_bhausmans@zuyderland.nl  
**Date:** $(date +%Y-%m-%d)  
**Purpose:** Grant App Services access to Key Vault for CMDB Insight deployment

## 🔐 Key Vault Details

- **Key Vault Name:** `zdl-cmdb-insight-prd-kv`
- **Resource Group:** `zdl-cmdb-insight-prd-euwe-rg`
- **Key Vault ID:** `/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv`

## 🎯 Required Access

**Role:** `Key Vault Secrets User`  
**Scope:** Key Vault resource  
**Purpose:** Allow App Services to read secrets from Key Vault

## 📱 App Service Principal IDs

### Backend Web App
- **App Name:** `zdl-cmdb-insight-prd-backend-webapp`
- **Principal ID:** `6bd8373f-f734-4d21-84f2-776fd11b17ae`

### Frontend Web App
- **App Name:** `zdl-cmdb-insight-prd-frontend-webapp`
- **Principal ID:** *(Get with command below)*

## 🚀 Commands for Administrator

### Option 1: Use the Script (Recommended)

```bash
cd /path/to/cmdb-insight
./scripts/grant-keyvault-access-admin.sh
```

### Option 2: Manual Commands

```bash
# Get Key Vault Resource ID
KV_ID=$(az keyvault show \
  --name zdl-cmdb-insight-prd-kv \
  --query id -o tsv)

# Get Frontend Principal ID (if needed)
FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
  --name zdl-cmdb-insight-prd-frontend-webapp \
  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --query principalId -o tsv)

# Grant access to Backend
az role assignment create \
  --assignee "6bd8373f-f734-4d21-84f2-776fd11b17ae" \
  --role "Key Vault Secrets User" \
  --scope $KV_ID

# Grant access to Frontend (if needed)
az role assignment create \
  --assignee $FRONTEND_PRINCIPAL_ID \
  --role "Key Vault Secrets User" \
  --scope $KV_ID
```

### Option 3: Via Azure Portal

1. Navigate to Key Vault: `zdl-cmdb-insight-prd-kv`
2. Go to **Access control (IAM)**
3. Click **Add** → **Add role assignment**
4. Select role: **Key Vault Secrets User**
5. Assign access to: **Managed identity**
6. Select members:
   - Backend: `zdl-cmdb-insight-prd-backend-webapp`
   - Frontend: `zdl-cmdb-insight-prd-frontend-webapp`
7. Click **Review + assign**

## ✅ Verification

After granting access, verify with:

```bash
# Check role assignments
az role assignment list \
  --scope "/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv" \
  --query "[?principalId=='6bd8373f-f734-4d21-84f2-776fd11b17ae']" \
  --output table
```

## 📝 Notes

- Key Vault uses **RBAC authorization** (not access policies)
- The role "Key Vault Secrets User" only allows reading secrets (not writing/deleting)
- This is the recommended approach for production deployments
- Access is granted via Managed Identity (no credentials stored)

## 🔗 Related Documentation

- `docs/AZURE-APP-SERVICE-DEPLOYMENT.md` - Complete deployment guide
- `scripts/grant-keyvault-access-admin.sh` - Automated script for admins