bert.hausmans/cmdb-insight
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71480cedd632c7eeef18db56a9dd91c12b81d6aa
cmdb-insight/docs/KEY-VAULT-ACCESS-REQUEST.md
Bert Hausmans b8d7e7a229 Fix logger for Azure App Service and update deployment docs 
- Fix logger to handle Azure App Service write restrictions
- Skip file logging in Azure App Service (console logs captured automatically)
- Add deployment scripts for App Service setup
- Update documentation with correct resource names
- Add Key Vault access request documentation
- Add alternative authentication methods for ACR and Key Vault
2026-01-22 00:51:53 +01:00

3.0 KiB
Raw Blame History

Key Vault Access Request - For Administrators

📋 Request Information

Requested by: adm_bhausmans@zuyderland.nl
Date: $(date +%Y-%m-%d)
Purpose: Grant App Services access to Key Vault for CMDB Insight deployment

🔐 Key Vault Details

  • Key Vault Name: zdl-cmdb-insight-prd-kv
  • Resource Group: zdl-cmdb-insight-prd-euwe-rg
  • Key Vault ID: /subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv

🎯 Required Access

Role: Key Vault Secrets User
Scope: Key Vault resource
Purpose: Allow App Services to read secrets from Key Vault

📱 App Service Principal IDs

Backend Web App

  • App Name: zdl-cmdb-insight-prd-backend-webapp
  • Principal ID: 6bd8373f-f734-4d21-84f2-776fd11b17ae

Frontend Web App

  • App Name: zdl-cmdb-insight-prd-frontend-webapp
  • Principal ID: (Get with command below)

🚀 Commands for Administrator

Option 1: Use the Script (Recommended)

cd /path/to/cmdb-insight
./scripts/grant-keyvault-access-admin.sh

Option 2: Manual Commands

# Get Key Vault Resource ID
KV_ID=$(az keyvault show \
  --name zdl-cmdb-insight-prd-kv \
  --query id -o tsv)

# Get Frontend Principal ID (if needed)
FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
  --name zdl-cmdb-insight-prd-frontend-webapp \
  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --query principalId -o tsv)

# Grant access to Backend
az role assignment create \
  --assignee "6bd8373f-f734-4d21-84f2-776fd11b17ae" \
  --role "Key Vault Secrets User" \
  --scope $KV_ID

# Grant access to Frontend (if needed)
az role assignment create \
  --assignee $FRONTEND_PRINCIPAL_ID \
  --role "Key Vault Secrets User" \
  --scope $KV_ID

Option 3: Via Azure Portal

  1. Navigate to Key Vault: zdl-cmdb-insight-prd-kv
  2. Go to Access control (IAM)
  3. Click AddAdd role assignment
  4. Select role: Key Vault Secrets User
  5. Assign access to: Managed identity
  6. Select members:
    • Backend: zdl-cmdb-insight-prd-backend-webapp
    • Frontend: zdl-cmdb-insight-prd-frontend-webapp
  7. Click Review + assign

Verification

After granting access, verify with:

# Check role assignments
az role assignment list \
  --scope "/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv" \
  --query "[?principalId=='6bd8373f-f734-4d21-84f2-776fd11b17ae']" \
  --output table

📝 Notes

  • Key Vault uses RBAC authorization (not access policies)
  • The role "Key Vault Secrets User" only allows reading secrets (not writing/deleting)
  • This is the recommended approach for production deployments
  • Access is granted via Managed Identity (no credentials stored)

🔗 Related Documentation

  • docs/AZURE-APP-SERVICE-DEPLOYMENT.md - Complete deployment guide
  • scripts/grant-keyvault-access-admin.sh - Automated script for admins
Reference in New Issue View Git Blame Copy Permalink