Bert Hausmans
b8d7e7a229
- Fix logger to handle Azure App Service write restrictions - Skip file logging in Azure App Service (console logs captured automatically) - Add deployment scripts for App Service setup - Update documentation with correct resource names - Add Key Vault access request documentation - Add alternative authentication methods for ACR and Key Vault
102 lines
3.0 KiB
Markdown
102 lines
3.0 KiB
Markdown
# Key Vault Access Request - For Administrators
|
|
|
|
## 📋 Request Information
|
|
|
|
**Requested by:** adm_bhausmans@zuyderland.nl
|
|
**Date:** $(date +%Y-%m-%d)
|
|
**Purpose:** Grant App Services access to Key Vault for CMDB Insight deployment
|
|
|
|
## 🔐 Key Vault Details
|
|
|
|
- **Key Vault Name:** `zdl-cmdb-insight-prd-kv`
|
|
- **Resource Group:** `zdl-cmdb-insight-prd-euwe-rg`
|
|
- **Key Vault ID:** `/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv`
|
|
|
|
## 🎯 Required Access
|
|
|
|
**Role:** `Key Vault Secrets User`
|
|
**Scope:** Key Vault resource
|
|
**Purpose:** Allow App Services to read secrets from Key Vault
|
|
|
|
## 📱 App Service Principal IDs
|
|
|
|
### Backend Web App
|
|
- **App Name:** `zdl-cmdb-insight-prd-backend-webapp`
|
|
- **Principal ID:** `6bd8373f-f734-4d21-84f2-776fd11b17ae`
|
|
|
|
### Frontend Web App
|
|
- **App Name:** `zdl-cmdb-insight-prd-frontend-webapp`
|
|
- **Principal ID:** *(Get with command below)*
|
|
|
|
## 🚀 Commands for Administrator
|
|
|
|
### Option 1: Use the Script (Recommended)
|
|
|
|
```bash
|
|
cd /path/to/cmdb-insight
|
|
./scripts/grant-keyvault-access-admin.sh
|
|
```
|
|
|
|
### Option 2: Manual Commands
|
|
|
|
```bash
|
|
# Get Key Vault Resource ID
|
|
KV_ID=$(az keyvault show \
|
|
--name zdl-cmdb-insight-prd-kv \
|
|
--query id -o tsv)
|
|
|
|
# Get Frontend Principal ID (if needed)
|
|
FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
|
|
--name zdl-cmdb-insight-prd-frontend-webapp \
|
|
--resource-group zdl-cmdb-insight-prd-euwe-rg \
|
|
--query principalId -o tsv)
|
|
|
|
# Grant access to Backend
|
|
az role assignment create \
|
|
--assignee "6bd8373f-f734-4d21-84f2-776fd11b17ae" \
|
|
--role "Key Vault Secrets User" \
|
|
--scope $KV_ID
|
|
|
|
# Grant access to Frontend (if needed)
|
|
az role assignment create \
|
|
--assignee $FRONTEND_PRINCIPAL_ID \
|
|
--role "Key Vault Secrets User" \
|
|
--scope $KV_ID
|
|
```
|
|
|
|
### Option 3: Via Azure Portal
|
|
|
|
1. Navigate to Key Vault: `zdl-cmdb-insight-prd-kv`
|
|
2. Go to **Access control (IAM)**
|
|
3. Click **Add** → **Add role assignment**
|
|
4. Select role: **Key Vault Secrets User**
|
|
5. Assign access to: **Managed identity**
|
|
6. Select members:
|
|
- Backend: `zdl-cmdb-insight-prd-backend-webapp`
|
|
- Frontend: `zdl-cmdb-insight-prd-frontend-webapp`
|
|
7. Click **Review + assign**
|
|
|
|
## ✅ Verification
|
|
|
|
After granting access, verify with:
|
|
|
|
```bash
|
|
# Check role assignments
|
|
az role assignment list \
|
|
--scope "/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv" \
|
|
--query "[?principalId=='6bd8373f-f734-4d21-84f2-776fd11b17ae']" \
|
|
--output table
|
|
```
|
|
|
|
## 📝 Notes
|
|
|
|
- Key Vault uses **RBAC authorization** (not access policies)
|
|
- The role "Key Vault Secrets User" only allows reading secrets (not writing/deleting)
|
|
- This is the recommended approach for production deployments
|
|
- Access is granted via Managed Identity (no credentials stored)
|
|
|
|
## 🔗 Related Documentation
|
|
|
|
- `docs/AZURE-APP-SERVICE-DEPLOYMENT.md` - Complete deployment guide
|
|
- `scripts/grant-keyvault-access-admin.sh` - Automated script for admins
|