From 2dc7cc5869b95ebc64757775a69f62f570533a0f Mon Sep 17 00:00:00 2001 From: Wei Wei Date: Mon, 12 Apr 2021 17:18:44 +0800 Subject: [PATCH] [Storage] Support USer Assigned Identity --- .../ScenarioTests/StorageAccountTests.cs | 7 + .../ScenarioTests/StorageAccountTests.ps1 | 67 ++ ...ureStorageAccountUserAssignedIdentity.json | 882 ++++++++++++++++++ src/Storage/Storage.Management/ChangeLog.md | 3 + .../StorageAccount/NewAzureStorageAccount.cs | 103 +- .../StorageAccount/SetAzureStorageAccount.cs | 59 +- .../StorageAccountBaseCmdlet.cs | 35 + .../help/New-AzStorageAccount.md | 154 ++- .../help/Set-AzStorageAccount.md | 128 ++- 9 files changed, 1412 insertions(+), 26 deletions(-) create mode 100644 src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestAzureStorageAccountUserAssignedIdentity.json diff --git a/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs b/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs index 430d8943d826..373666d5b8d6 100644 --- a/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs +++ b/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs @@ -239,5 +239,12 @@ public void TestAzureStorageAccountKeySASPolicy() { TestRunner.RunTestScript("Test-AzureStorageAccountKeySASPolicy"); } + + [Fact] + [Trait(Category.AcceptanceType, Category.CheckIn)] + public void TestAzureStorageAccountUserAssignedIdentity() + { + TestRunner.RunTestScript("Test-AzureStorageAccountUserAssignedIdentity"); + } } } diff --git a/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1 b/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1 index 9e1fb5d9d283..dcbb9db30214 100644 --- a/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1 +++ b/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1 @@ -1652,4 +1652,71 @@ function Test-AzureStorageAccountKeySASPolicy # Cleanup Clean-ResourceGroup $rgname } +} + +<# +.SYNOPSIS +Test Test-NewAzureStorageAccountUserAssignedIdentity +.DESCRIPTION +SmokeTest +#> +function Test-AzureStorageAccountUserAssignedIdentity +{ + # Setup + $rgname = Get-StorageManagementTestResourceName; + + try + { + # Test + $stoname = 'sto' + $rgname; + $stotype = 'Standard_LRS'; + $loc = Get-ProviderLocation_Canary ResourceManagement; + + New-AzResourceGroup -Name $rgname -Location $loc; + Write-Output ("Resource Group created") + + # create keyvault and user assigned idenity + $keyvaultName = "weiestestcanary" + $keyvaultUri = "https://$($keyvaultName).vault.azure.net:443" + $keyname = "wrappingKey" + $useridentity= "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1" + $useridentity2= "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2" + + # $keyVault = New-AzKeyVault -VaultName $keyvaultName -ResourceGroupName $rgname -Location $loc -EnablePurgeProtection + # Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $rgname -ObjectId $servicePricipleObjectId -PermissionsToKeys backup,create,delete,get,import,get,list,update,restore + # $key = Add-AzKeyVaultKey -VaultName $keyvaultName -Name $keyname -Destination 'Software' + + # $userId = New-AzUserAssignedIdentity -ResourceGroupName $rgname -Name $rgname+"userid" + # Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $rgname -ObjectId $userId.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation + # $useridentity= $userId.Id + + # new account with keyvault encryption + UserAssignedIdentity + $account = New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SkuName $stotype -Location $loc ` + -UserAssignedIdentityId $useridentity -IdentityType SystemAssignedUserAssigned ` + -KeyName $keyname -KeyVaultUri $keyvaultUri -KeyVaultUserAssignedIdentityId $useridentity + + Assert-AreEqual "SystemAssigned,UserAssigned" $account.Identity.Type + Assert-AreEqual Microsoft.Keyvault $account.Encryption.KeySource + Assert-AreEqual $useridentity $account.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity + Assert-AreEqual $keyvaultUri $account.Encryption.KeyVaultProperties.KeyVaultUri + Assert-AreEqual $keyname $account.Encryption.KeyVaultProperties.KeyName + + # update UserAssignedIdentity to another + $account = Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname ` + -IdentityType UserAssigned -UserAssignedIdentityId $useridentity2 ` + -KeyVaultUserAssignedIdentityId $useridentity2 -KeyName $keyname -KeyVaultUri $keyvaultUri + + Assert-AreEqual "UserAssigned" $account.Identity.Type + Assert-AreEqual Microsoft.Keyvault $account.Encryption.KeySource + Assert-AreEqual $useridentity2 $account.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity + Assert-AreEqual $keyvaultUri $account.Encryption.KeyVaultProperties.KeyVaultUri + Assert-AreEqual $keyname $account.Encryption.KeyVaultProperties.KeyName + + Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname; + } + finally + { + # Cleanup + Clean-ResourceGroup $rgname + } } \ No newline at end of file diff --git a/src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestAzureStorageAccountUserAssignedIdentity.json b/src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestAzureStorageAccountUserAssignedIdentity.json new file mode 100644 index 000000000000..c234a2c2ff54 --- /dev/null +++ b/src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestAzureStorageAccountUserAssignedIdentity.json @@ -0,0 +1,882 @@ +{ + "Entries": [ + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795?api-version=2016-09-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlZ3JvdXBzL3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDE2LTA5LTAx", + "RequestMethod": "PUT", + "RequestBody": "{\r\n \"location\": \"eastus2euap\"\r\n}", + "RequestHeaders": { + "x-ms-client-request-id": [ + "2a8881aa-e0c4-4edb-a58e-19c4d8671bc3" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient/1.3.32" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Content-Length": [ + "33" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "b0e2da28-dd44-445c-9234-8bf5b0b431d0" + ], + "x-ms-correlation-request-id": [ + "b0e2da28-dd44-445c-9234-8bf5b0b431d0" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090421Z:b0e2da28-dd44-445c-9234-8bf5b0b431d0" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:04:21 GMT" + ], + "Content-Length": [ + "182" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795\",\r\n \"name\": \"pstestrg6795\",\r\n \"location\": \"eastus2euap\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\"\r\n }\r\n}", + "StatusCode": 201 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/providers/Microsoft.Storage/checkNameAvailability?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Byb3ZpZGVycy9NaWNyb3NvZnQuU3RvcmFnZS9jaGVja05hbWVBdmFpbGFiaWxpdHk/YXBpLXZlcnNpb249MjAyMS0wMi0wMQ==", + "RequestMethod": "POST", + "RequestBody": "{\r\n \"name\": \"stopstestrg6795\",\r\n \"type\": \"Microsoft.Storage/storageAccounts\"\r\n}", + "RequestHeaders": { + "x-ms-client-request-id": [ + "20bf96cf-ce50-49ec-8e6c-758af00520dd" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Content-Length": [ + "81" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "20fae0de-5d10-40bb-98fb-044bcd4ad48e" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11997" + ], + "x-ms-correlation-request-id": [ + "61d728fc-57d2-47f8-96bd-b8c426e84140" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090423Z:61d728fc-57d2-47f8-96bd-b8c426e84140" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:04:22 GMT" + ], + "Content-Length": [ + "22" + ], + "Content-Type": [ + "application/json" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"nameAvailable\": true\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlR3JvdXBzL3BzdGVzdHJnNjc5NS9wcm92aWRlcnMvTWljcm9zb2Z0LlN0b3JhZ2Uvc3RvcmFnZUFjY291bnRzL3N0b3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDIxLTAyLTAx", + "RequestMethod": "PUT", + "RequestBody": "{\r\n \"sku\": {\r\n \"name\": \"Standard_LRS\"\r\n },\r\n \"kind\": \"StorageV2\",\r\n \"location\": \"eastus2euap\",\r\n \"identity\": {\r\n \"type\": \"SystemAssigned,UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\": {}\r\n }\r\n },\r\n \"properties\": {\r\n \"encryption\": {\r\n \"services\": {\r\n \"blob\": {}\r\n },\r\n \"keySource\": \"Microsoft.Keyvault\",\r\n \"keyvaultproperties\": {\r\n \"keyname\": \"wrappingKey\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\"\r\n },\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\"\r\n }\r\n }\r\n }\r\n}", + "RequestHeaders": { + "x-ms-client-request-id": [ + "20bf96cf-ce50-49ec-8e6c-758af00520dd" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Content-Length": [ + "868" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Location": [ + "https://management.azure.com/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/providers/Microsoft.Storage/locations/eastus2euap/asyncoperations/9835e661-4475-400b-aaaa-a32593b94e27?monitor=true&api-version=2021-02-01" + ], + "Retry-After": [ + "17" + ], + "x-ms-request-id": [ + "9835e661-4475-400b-aaaa-a32593b94e27" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1198" + ], + "x-ms-correlation-request-id": [ + "c6b114dc-ee4c-4d01-b80c-4314b668a13e" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090435Z:c6b114dc-ee4c-4d01-b80c-4314b668a13e" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:04:35 GMT" + ], + "Content-Type": [ + "text/plain; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 202 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/providers/Microsoft.Storage/locations/eastus2euap/asyncoperations/9835e661-4475-400b-aaaa-a32593b94e27?monitor=true&api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Byb3ZpZGVycy9NaWNyb3NvZnQuU3RvcmFnZS9sb2NhdGlvbnMvZWFzdHVzMmV1YXAvYXN5bmNvcGVyYXRpb25zLzk4MzVlNjYxLTQ0NzUtNDAwYi1hYWFhLWEzMjU5M2I5NGUyNz9tb25pdG9yPXRydWUmYXBpLXZlcnNpb249MjAyMS0wMi0wMQ==", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "20bf96cf-ce50-49ec-8e6c-758af00520dd" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "d6b4c5fa-c8d9-4f41-910e-5c54c92fff90" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11996" + ], + "x-ms-correlation-request-id": [ + "a0e288fd-745e-4fe2-ba62-993fd036f99f" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090453Z:a0e288fd-745e-4fe2-ba62-993fd036f99f" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:04:52 GMT" + ], + "Content-Length": [ + "2645" + ], + "Content-Type": [ + "application/json" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"identity\": {\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\": {\r\n \"principalId\": \"8a5450b5-4cb1-49cf-a735-c3a2294004cf\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"clientId\": \"bbeeb066-7071-4cb5-bc00-bf455189db66\",\r\n \"identityUrl\": \"https://control-eastus2euap.identity.azure.net/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795/credentials/v2/userassigned?arpid=1428d409-9324-44a2-b2e1-2fe741176480&uaid=bbeeb066-7071-4cb5-bc00-bf455189db66\",\r\n \"certRenewAfter\": \"2021-04-18T07:22:00Z\"\r\n }\r\n },\r\n \"principalId\": \"fc784982-67fd-497a-bdfb-ae512e079493\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"type\": \"SystemAssigned,UserAssigned\"\r\n },\r\n \"sku\": {\r\n \"name\": \"Standard_LRS\",\r\n \"tier\": \"Standard\"\r\n },\r\n \"kind\": \"StorageV2\",\r\n \"id\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795\",\r\n \"name\": \"stopstestrg6795\",\r\n \"type\": \"Microsoft.Storage/storageAccounts\",\r\n \"location\": \"eastus2euap\",\r\n \"tags\": {},\r\n \"properties\": {\r\n \"privateEndpointConnections\": [],\r\n \"networkAcls\": {\r\n \"bypass\": \"AzureServices\",\r\n \"virtualNetworkRules\": [],\r\n \"ipRules\": [],\r\n \"defaultAction\": \"Allow\"\r\n },\r\n \"supportsHttpsTrafficOnly\": true,\r\n \"encryption\": {\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\"\r\n },\r\n \"keyvaultproperties\": {\r\n \"currentVersionedKeyIdentifier\": \"https://weiestestcanary.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f\",\r\n \"lastKeyRotationTimestamp\": \"2021-04-12T09:04:34.2282143Z\",\r\n \"currentVersionedKeyExpirationTimestamp\": \"1970-01-01T00:00:00Z\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\",\r\n \"keyname\": \"wrappingKey\"\r\n },\r\n \"services\": {\r\n \"file\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n },\r\n \"blob\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n }\r\n },\r\n \"keySource\": \"Microsoft.Keyvault\"\r\n },\r\n \"accessTier\": \"Hot\",\r\n \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"2021-04-12T09:04:32.8636548Z\",\r\n \"primaryEndpoints\": {\r\n \"dfs\": \"https://stopstestrg6795.dfs.core.windows.net/\",\r\n \"web\": \"https://stopstestrg6795.z3.web.core.windows.net/\",\r\n \"blob\": \"https://stopstestrg6795.blob.core.windows.net/\",\r\n \"queue\": \"https://stopstestrg6795.queue.core.windows.net/\",\r\n \"table\": \"https://stopstestrg6795.table.core.windows.net/\",\r\n \"file\": \"https://stopstestrg6795.file.core.windows.net/\"\r\n },\r\n \"primaryLocation\": \"eastus2euap\",\r\n \"statusOfPrimary\": \"available\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlR3JvdXBzL3BzdGVzdHJnNjc5NS9wcm92aWRlcnMvTWljcm9zb2Z0LlN0b3JhZ2Uvc3RvcmFnZUFjY291bnRzL3N0b3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDIxLTAyLTAx", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "20bf96cf-ce50-49ec-8e6c-758af00520dd" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "bfc0fe65-f223-4396-8ef2-57c2e9361fd4" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11995" + ], + "x-ms-correlation-request-id": [ + "7b06743f-ff83-440a-959c-5af4ebf55317" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090453Z:7b06743f-ff83-440a-959c-5af4ebf55317" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:04:52 GMT" + ], + "Content-Length": [ + "2645" + ], + "Content-Type": [ + "application/json" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"identity\": {\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\": {\r\n \"principalId\": \"8a5450b5-4cb1-49cf-a735-c3a2294004cf\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"clientId\": \"bbeeb066-7071-4cb5-bc00-bf455189db66\",\r\n \"identityUrl\": \"https://control-eastus2euap.identity.azure.net/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795/credentials/v2/userassigned?arpid=1428d409-9324-44a2-b2e1-2fe741176480&uaid=bbeeb066-7071-4cb5-bc00-bf455189db66\",\r\n \"certRenewAfter\": \"2021-04-18T07:22:00Z\"\r\n }\r\n },\r\n \"principalId\": \"fc784982-67fd-497a-bdfb-ae512e079493\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"type\": \"SystemAssigned,UserAssigned\"\r\n },\r\n \"sku\": {\r\n \"name\": \"Standard_LRS\",\r\n \"tier\": \"Standard\"\r\n },\r\n \"kind\": \"StorageV2\",\r\n \"id\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795\",\r\n \"name\": \"stopstestrg6795\",\r\n \"type\": \"Microsoft.Storage/storageAccounts\",\r\n \"location\": \"eastus2euap\",\r\n \"tags\": {},\r\n \"properties\": {\r\n \"privateEndpointConnections\": [],\r\n \"networkAcls\": {\r\n \"bypass\": \"AzureServices\",\r\n \"virtualNetworkRules\": [],\r\n \"ipRules\": [],\r\n \"defaultAction\": \"Allow\"\r\n },\r\n \"supportsHttpsTrafficOnly\": true,\r\n \"encryption\": {\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\"\r\n },\r\n \"keyvaultproperties\": {\r\n \"currentVersionedKeyIdentifier\": \"https://weiestestcanary.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f\",\r\n \"lastKeyRotationTimestamp\": \"2021-04-12T09:04:34.2282143Z\",\r\n \"currentVersionedKeyExpirationTimestamp\": \"1970-01-01T00:00:00Z\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\",\r\n \"keyname\": \"wrappingKey\"\r\n },\r\n \"services\": {\r\n \"file\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n },\r\n \"blob\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n }\r\n },\r\n \"keySource\": \"Microsoft.Keyvault\"\r\n },\r\n \"accessTier\": \"Hot\",\r\n \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"2021-04-12T09:04:32.8636548Z\",\r\n \"primaryEndpoints\": {\r\n \"dfs\": \"https://stopstestrg6795.dfs.core.windows.net/\",\r\n \"web\": \"https://stopstestrg6795.z3.web.core.windows.net/\",\r\n \"blob\": \"https://stopstestrg6795.blob.core.windows.net/\",\r\n \"queue\": \"https://stopstestrg6795.queue.core.windows.net/\",\r\n \"table\": \"https://stopstestrg6795.table.core.windows.net/\",\r\n \"file\": \"https://stopstestrg6795.file.core.windows.net/\"\r\n },\r\n \"primaryLocation\": \"eastus2euap\",\r\n \"statusOfPrimary\": \"available\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlR3JvdXBzL3BzdGVzdHJnNjc5NS9wcm92aWRlcnMvTWljcm9zb2Z0LlN0b3JhZ2Uvc3RvcmFnZUFjY291bnRzL3N0b3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDIxLTAyLTAx", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "ace15ff8-0660-4448-841c-6e75dd25070e" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "2a22cab1-f61a-4dd8-b6fa-3b866e237e91" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11998" + ], + "x-ms-correlation-request-id": [ + "ac91a13f-a65a-4b8f-bec8-4dab338fa710" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090454Z:ac91a13f-a65a-4b8f-bec8-4dab338fa710" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:04:54 GMT" + ], + "Content-Length": [ + "2645" + ], + "Content-Type": [ + "application/json" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"identity\": {\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\": {\r\n \"principalId\": \"8a5450b5-4cb1-49cf-a735-c3a2294004cf\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"clientId\": \"bbeeb066-7071-4cb5-bc00-bf455189db66\",\r\n \"identityUrl\": \"https://control-eastus2euap.identity.azure.net/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795/credentials/v2/userassigned?arpid=1428d409-9324-44a2-b2e1-2fe741176480&uaid=bbeeb066-7071-4cb5-bc00-bf455189db66\",\r\n \"certRenewAfter\": \"2021-04-18T07:22:00Z\"\r\n }\r\n },\r\n \"principalId\": \"fc784982-67fd-497a-bdfb-ae512e079493\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"type\": \"SystemAssigned,UserAssigned\"\r\n },\r\n \"sku\": {\r\n \"name\": \"Standard_LRS\",\r\n \"tier\": \"Standard\"\r\n },\r\n \"kind\": \"StorageV2\",\r\n \"id\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795\",\r\n \"name\": \"stopstestrg6795\",\r\n \"type\": \"Microsoft.Storage/storageAccounts\",\r\n \"location\": \"eastus2euap\",\r\n \"tags\": {},\r\n \"properties\": {\r\n \"privateEndpointConnections\": [],\r\n \"networkAcls\": {\r\n \"bypass\": \"AzureServices\",\r\n \"virtualNetworkRules\": [],\r\n \"ipRules\": [],\r\n \"defaultAction\": \"Allow\"\r\n },\r\n \"supportsHttpsTrafficOnly\": true,\r\n \"encryption\": {\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\"\r\n },\r\n \"keyvaultproperties\": {\r\n \"currentVersionedKeyIdentifier\": \"https://weiestestcanary.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f\",\r\n \"lastKeyRotationTimestamp\": \"2021-04-12T09:04:34.2282143Z\",\r\n \"currentVersionedKeyExpirationTimestamp\": \"1970-01-01T00:00:00Z\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\",\r\n \"keyname\": \"wrappingKey\"\r\n },\r\n \"services\": {\r\n \"file\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n },\r\n \"blob\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n }\r\n },\r\n \"keySource\": \"Microsoft.Keyvault\"\r\n },\r\n \"accessTier\": \"Hot\",\r\n \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"2021-04-12T09:04:32.8636548Z\",\r\n \"primaryEndpoints\": {\r\n \"dfs\": \"https://stopstestrg6795.dfs.core.windows.net/\",\r\n \"web\": \"https://stopstestrg6795.z3.web.core.windows.net/\",\r\n \"blob\": \"https://stopstestrg6795.blob.core.windows.net/\",\r\n \"queue\": \"https://stopstestrg6795.queue.core.windows.net/\",\r\n \"table\": \"https://stopstestrg6795.table.core.windows.net/\",\r\n \"file\": \"https://stopstestrg6795.file.core.windows.net/\"\r\n },\r\n \"primaryLocation\": \"eastus2euap\",\r\n \"statusOfPrimary\": \"available\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlR3JvdXBzL3BzdGVzdHJnNjc5NS9wcm92aWRlcnMvTWljcm9zb2Z0LlN0b3JhZ2Uvc3RvcmFnZUFjY291bnRzL3N0b3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDIxLTAyLTAx", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "ace15ff8-0660-4448-841c-6e75dd25070e" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "2755a48c-be4f-48d4-b997-c596ccedb8a5" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11997" + ], + "x-ms-correlation-request-id": [ + "596adf8d-4363-4a8e-92d1-e4cc351f2f33" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090508Z:596adf8d-4363-4a8e-92d1-e4cc351f2f33" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:05:08 GMT" + ], + "Content-Length": [ + "2527" + ], + "Content-Type": [ + "application/json" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"identity\": {\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2\": {\r\n \"principalId\": \"35cd3417-aa14-4228-8293-be96e239345b\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"clientId\": \"d2579880-1952-4b51-a398-8896fa125866\",\r\n \"identityUrl\": \"https://control-eastus2euap.identity.azure.net/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795/credentials/v2/userassigned?arpid=1428d409-9324-44a2-b2e1-2fe741176480&uaid=d2579880-1952-4b51-a398-8896fa125866\",\r\n \"certRenewAfter\": \"2021-05-09T09:05:00Z\"\r\n }\r\n },\r\n \"type\": \"UserAssigned\"\r\n },\r\n \"sku\": {\r\n \"name\": \"Standard_LRS\",\r\n \"tier\": \"Standard\"\r\n },\r\n \"kind\": \"StorageV2\",\r\n \"id\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795\",\r\n \"name\": \"stopstestrg6795\",\r\n \"type\": \"Microsoft.Storage/storageAccounts\",\r\n \"location\": \"eastus2euap\",\r\n \"tags\": {},\r\n \"properties\": {\r\n \"privateEndpointConnections\": [],\r\n \"networkAcls\": {\r\n \"bypass\": \"AzureServices\",\r\n \"virtualNetworkRules\": [],\r\n \"ipRules\": [],\r\n \"defaultAction\": \"Allow\"\r\n },\r\n \"supportsHttpsTrafficOnly\": true,\r\n \"encryption\": {\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2\"\r\n },\r\n \"keyvaultproperties\": {\r\n \"currentVersionedKeyIdentifier\": \"https://weiestestcanary.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f\",\r\n \"lastKeyRotationTimestamp\": \"2021-04-12T09:04:34.2282143Z\",\r\n \"currentVersionedKeyExpirationTimestamp\": \"1970-01-01T00:00:00Z\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\",\r\n \"keyname\": \"wrappingKey\"\r\n },\r\n \"services\": {\r\n \"file\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n },\r\n \"blob\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n }\r\n },\r\n \"keySource\": \"Microsoft.Keyvault\"\r\n },\r\n \"accessTier\": \"Hot\",\r\n \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"2021-04-12T09:04:32.8636548Z\",\r\n \"primaryEndpoints\": {\r\n \"dfs\": \"https://stopstestrg6795.dfs.core.windows.net/\",\r\n \"web\": \"https://stopstestrg6795.z3.web.core.windows.net/\",\r\n \"blob\": \"https://stopstestrg6795.blob.core.windows.net/\",\r\n \"queue\": \"https://stopstestrg6795.queue.core.windows.net/\",\r\n \"table\": \"https://stopstestrg6795.table.core.windows.net/\",\r\n \"file\": \"https://stopstestrg6795.file.core.windows.net/\"\r\n },\r\n \"primaryLocation\": \"eastus2euap\",\r\n \"statusOfPrimary\": \"available\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlR3JvdXBzL3BzdGVzdHJnNjc5NS9wcm92aWRlcnMvTWljcm9zb2Z0LlN0b3JhZ2Uvc3RvcmFnZUFjY291bnRzL3N0b3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDIxLTAyLTAx", + "RequestMethod": "PATCH", + "RequestBody": "{\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2\": {},\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1\": null\r\n }\r\n },\r\n \"properties\": {\r\n \"encryption\": {\r\n \"keySource\": \"Microsoft.Keyvault\",\r\n \"keyvaultproperties\": {\r\n \"keyname\": \"wrappingKey\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\"\r\n },\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2\"\r\n }\r\n }\r\n }\r\n}", + "RequestHeaders": { + "x-ms-client-request-id": [ + "ace15ff8-0660-4448-841c-6e75dd25070e" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Content-Length": [ + "862" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "7b5ac49e-d23d-467b-bf1a-9b7087bbaa11" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-correlation-request-id": [ + "2cfefa39-9069-4ffa-85ea-a18f549d22d8" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090508Z:2cfefa39-9069-4ffa-85ea-a18f549d22d8" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:05:07 GMT" + ], + "Content-Length": [ + "2527" + ], + "Content-Type": [ + "application/json" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"identity\": {\r\n \"userAssignedIdentities\": {\r\n \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2\": {\r\n \"principalId\": \"35cd3417-aa14-4228-8293-be96e239345b\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"clientId\": \"d2579880-1952-4b51-a398-8896fa125866\",\r\n \"identityUrl\": \"https://control-eastus2euap.identity.azure.net/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795/credentials/v2/userassigned?arpid=1428d409-9324-44a2-b2e1-2fe741176480&uaid=d2579880-1952-4b51-a398-8896fa125866\",\r\n \"certRenewAfter\": \"2021-05-09T09:05:00Z\"\r\n }\r\n },\r\n \"type\": \"UserAssigned\"\r\n },\r\n \"sku\": {\r\n \"name\": \"Standard_LRS\",\r\n \"tier\": \"Standard\"\r\n },\r\n \"kind\": \"StorageV2\",\r\n \"id\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795\",\r\n \"name\": \"stopstestrg6795\",\r\n \"type\": \"Microsoft.Storage/storageAccounts\",\r\n \"location\": \"eastus2euap\",\r\n \"tags\": {},\r\n \"properties\": {\r\n \"privateEndpointConnections\": [],\r\n \"networkAcls\": {\r\n \"bypass\": \"AzureServices\",\r\n \"virtualNetworkRules\": [],\r\n \"ipRules\": [],\r\n \"defaultAction\": \"Allow\"\r\n },\r\n \"supportsHttpsTrafficOnly\": true,\r\n \"encryption\": {\r\n \"identity\": {\r\n \"userAssignedIdentity\": \"/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2\"\r\n },\r\n \"keyvaultproperties\": {\r\n \"currentVersionedKeyIdentifier\": \"https://weiestestcanary.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f\",\r\n \"lastKeyRotationTimestamp\": \"2021-04-12T09:04:34.2282143Z\",\r\n \"currentVersionedKeyExpirationTimestamp\": \"1970-01-01T00:00:00Z\",\r\n \"keyvaulturi\": \"https://weiestestcanary.vault.azure.net:443\",\r\n \"keyname\": \"wrappingKey\"\r\n },\r\n \"services\": {\r\n \"file\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n },\r\n \"blob\": {\r\n \"keyType\": \"Account\",\r\n \"enabled\": true,\r\n \"lastEnabledTime\": \"2021-04-12T09:04:32.9536529Z\"\r\n }\r\n },\r\n \"keySource\": \"Microsoft.Keyvault\"\r\n },\r\n \"accessTier\": \"Hot\",\r\n \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"2021-04-12T09:04:32.8636548Z\",\r\n \"primaryEndpoints\": {\r\n \"dfs\": \"https://stopstestrg6795.dfs.core.windows.net/\",\r\n \"web\": \"https://stopstestrg6795.z3.web.core.windows.net/\",\r\n \"blob\": \"https://stopstestrg6795.blob.core.windows.net/\",\r\n \"queue\": \"https://stopstestrg6795.queue.core.windows.net/\",\r\n \"table\": \"https://stopstestrg6795.table.core.windows.net/\",\r\n \"file\": \"https://stopstestrg6795.file.core.windows.net/\"\r\n },\r\n \"primaryLocation\": \"eastus2euap\",\r\n \"statusOfPrimary\": \"available\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/pstestrg6795/providers/Microsoft.Storage/storageAccounts/stopstestrg6795?api-version=2021-02-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlR3JvdXBzL3BzdGVzdHJnNjc5NS9wcm92aWRlcnMvTWljcm9zb2Z0LlN0b3JhZ2Uvc3RvcmFnZUFjY291bnRzL3N0b3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDIxLTAyLTAx", + "RequestMethod": "DELETE", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "3a3662c6-76fd-4ce6-8690-37ed2b209f26" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Storage.StorageManagementClient/19.0.0.0" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "6e92b37b-8701-4ef8-b145-fb83badf9a29" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0" + ], + "x-ms-ratelimit-remaining-subscription-deletes": [ + "14999" + ], + "x-ms-correlation-request-id": [ + "34b7c77e-01d0-4d37-87e0-976133317447" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090520Z:34b7c77e-01d0-4d37-87e0-976133317447" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:05:20 GMT" + ], + "Content-Type": [ + "text/plain; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourcegroups/pstestrg6795?api-version=2016-09-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL3Jlc291cmNlZ3JvdXBzL3BzdGVzdHJnNjc5NT9hcGktdmVyc2lvbj0yMDE2LTA5LTAx", + "RequestMethod": "DELETE", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "b08554df-7d5b-4285-b41f-934d23ddf706" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient/1.3.32" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Location": [ + "https://management.azure.com/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01" + ], + "Retry-After": [ + "15" + ], + "x-ms-ratelimit-remaining-subscription-deletes": [ + "14999" + ], + "x-ms-request-id": [ + "5a7862b8-ccc4-4497-9d5b-33cfc04d6b89" + ], + "x-ms-correlation-request-id": [ + "5a7862b8-ccc4-4497-9d5b-33cfc04d6b89" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090526Z:5a7862b8-ccc4-4497-9d5b-33cfc04d6b89" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:05:26 GMT" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 202 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL29wZXJhdGlvbnJlc3VsdHMvZXlKcWIySkpaQ0k2SWxKRlUwOVZVa05GUjFKUFZWQkVSVXhGVkVsUFRrcFBRaTFRVTFSRlUxUlNSelkzT1RVdFJVRlRWRlZUTWtWVlFWQWlMQ0pxYjJKTWIyTmhkR2x2YmlJNkltVmhjM1IxY3pKbGRXRndJbjA/YXBpLXZlcnNpb249MjAxNi0wOS0wMQ==", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient/1.3.32" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Location": [ + "https://management.azure.com/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01" + ], + "Retry-After": [ + "15" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11997" + ], + "x-ms-request-id": [ + "1428f4fa-89b4-40e4-a0e0-7f65d5e7367b" + ], + "x-ms-correlation-request-id": [ + "1428f4fa-89b4-40e4-a0e0-7f65d5e7367b" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090542Z:1428f4fa-89b4-40e4-a0e0-7f65d5e7367b" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:05:41 GMT" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 202 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL29wZXJhdGlvbnJlc3VsdHMvZXlKcWIySkpaQ0k2SWxKRlUwOVZVa05GUjFKUFZWQkVSVXhGVkVsUFRrcFBRaTFRVTFSRlUxUlNSelkzT1RVdFJVRlRWRlZUTWtWVlFWQWlMQ0pxYjJKTWIyTmhkR2x2YmlJNkltVmhjM1IxY3pKbGRXRndJbjA/YXBpLXZlcnNpb249MjAxNi0wOS0wMQ==", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient/1.3.32" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Location": [ + "https://management.azure.com/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01" + ], + "Retry-After": [ + "15" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11996" + ], + "x-ms-request-id": [ + "ea6bcc91-c39f-4f9b-bf98-6db9ce2397c0" + ], + "x-ms-correlation-request-id": [ + "ea6bcc91-c39f-4f9b-bf98-6db9ce2397c0" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090557Z:ea6bcc91-c39f-4f9b-bf98-6db9ce2397c0" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:05:57 GMT" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 202 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL29wZXJhdGlvbnJlc3VsdHMvZXlKcWIySkpaQ0k2SWxKRlUwOVZVa05GUjFKUFZWQkVSVXhGVkVsUFRrcFBRaTFRVTFSRlUxUlNSelkzT1RVdFJVRlRWRlZUTWtWVlFWQWlMQ0pxYjJKTWIyTmhkR2x2YmlJNkltVmhjM1IxY3pKbGRXRndJbjA/YXBpLXZlcnNpb249MjAxNi0wOS0wMQ==", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient/1.3.32" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11995" + ], + "x-ms-request-id": [ + "c819cf88-4d41-4362-8014-c16e173cd808" + ], + "x-ms-correlation-request-id": [ + "c819cf88-4d41-4362-8014-c16e173cd808" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090613Z:c819cf88-4d41-4362-8014-c16e173cd808" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:06:12 GMT" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1QU1RFU1RSRzY3OTUtRUFTVFVTMkVVQVAiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czJldWFwIn0?api-version=2016-09-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDViNjBkODUtZmQ3Mi00MjdhLWE3MDgtZjk5NGQyNmU1OTNlL29wZXJhdGlvbnJlc3VsdHMvZXlKcWIySkpaQ0k2SWxKRlUwOVZVa05GUjFKUFZWQkVSVXhGVkVsUFRrcFBRaTFRVTFSRlUxUlNSelkzT1RVdFJVRlRWRlZUTWtWVlFWQWlMQ0pxYjJKTWIyTmhkR2x2YmlJNkltVmhjM1IxY3pKbGRXRndJbjA/YXBpLXZlcnNpb249MjAxNi0wOS0wMQ==", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "User-Agent": [ + "FxVersion/4.6.29812.02", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.19042.", + "Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient/1.3.32" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11994" + ], + "x-ms-request-id": [ + "4f6ac729-2baa-44e9-ae10-288b0f2d3002" + ], + "x-ms-correlation-request-id": [ + "4f6ac729-2baa-44e9-ae10-288b0f2d3002" + ], + "x-ms-routing-request-id": [ + "SOUTHEASTASIA:20210412T090613Z:4f6ac729-2baa-44e9-ae10-288b0f2d3002" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Mon, 12 Apr 2021 09:06:13 GMT" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "0" + ] + }, + "ResponseBody": "", + "StatusCode": 200 + } + ], + "Names": { + "Test-AzureStorageAccountUserAssignedIdentity": [ + "pstestrg6795" + ] + }, + "Variables": { + "SubscriptionId": "45b60d85-fd72-427a-a708-f994d26e593e" + } +} \ No newline at end of file diff --git a/src/Storage/Storage.Management/ChangeLog.md b/src/Storage/Storage.Management/ChangeLog.md index 032612432cbf..e0d233bb959f 100644 --- a/src/Storage/Storage.Management/ChangeLog.md +++ b/src/Storage/Storage.Management/ChangeLog.md @@ -21,6 +21,9 @@ * Supported create/update storage account with KeyExpirationPeriod and SasExpirationPeriod - `New-AzStorageAccount` - `Set-AzStorageAccount` +* Supported create/update storage account with keyvault encryption and access keyvault with user assigned identity + - `New-AzStorageAccount` + - `Set-AzStorageAccount` * Supported EdgeZone in create storage account - `New-AzStorageAccount` * Fixed an issue that delete immutable blob will prompt incorrect message. diff --git a/src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs b/src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs index 101d20078c5d..ddcf3b8bc255 100644 --- a/src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs +++ b/src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs @@ -21,6 +21,7 @@ using Microsoft.Azure.Commands.Management.Storage.Models; using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; using System; +using System.Collections.Generic; namespace Microsoft.Azure.Commands.Management.Storage { @@ -148,10 +149,50 @@ public bool EnableHttpsTrafficOnly private bool? enableHttpsTrafficOnly = null; [Parameter( - Mandatory = false, - HelpMessage = "Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.")] + Mandatory = false, + HelpMessage = "Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault. If specify this paramter without \"-IdentityType\", will use system assigned identity.")] public SwitchParameter AssignIdentity { get; set; } + [Parameter( + Mandatory = false, + HelpMessage = "Set resource ids for the the new Storage Account user assigned Identity, the identity will be used with key management services like Azure KeyVault.")] + [ValidateNotNullOrEmpty] + public string UserAssignedIdentityId { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Set the new Storage Account Identity type, the idenetity is for use with key management services like Azure KeyVault.")] + [ValidateSet(AccountIdentityType.systemAssigned, + AccountIdentityType.userAssigned, + AccountIdentityType.systemAssignedUserAssigned, + AccountIdentityType.none, + IgnoreCase = true)] + public string IdentityType { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Set resource id for user assigned Identity used to access Azure KeyVault of Storage Account Encryption, the id must in UserAssignIdentityId.")] + [ValidateNotNull] + public string KeyVaultUserAssignedIdentityId { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Storage Account encryption keySource KeyVault KeyName")] + [ValidateNotNullOrEmpty] + public string KeyName { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Storage Account encryption keySource KeyVault KeyVersion")] + [ValidateNotNullOrEmpty] + public string KeyVersion { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Storage Account encryption keySource KeyVault KeyVaultUri")] + [ValidateNotNullOrEmpty] + public string KeyVaultUri { get; set; } + [Parameter(HelpMessage = "Storage Account NetworkRule", Mandatory = false)] [ValidateNotNullOrEmpty] @@ -439,9 +480,22 @@ public override void ExecuteCmdlet() createParameters.EnableHttpsTrafficOnly = enableHttpsTrafficOnly; } - if (AssignIdentity.IsPresent) + if (AssignIdentity.IsPresent || this.UserAssignedIdentityId != null || this.IdentityType != null) { - createParameters.Identity = new Identity() { Type = IdentityType.SystemAssigned }; + createParameters.Identity = new Identity() { Type = StorageModels.IdentityType.SystemAssigned }; + if (this.IdentityType != null) + { + createParameters.Identity.Type = GetIdentityTypeString(this.IdentityType); + } + if (this.UserAssignedIdentityId != null) + { + if (createParameters.Identity.Type != StorageModels.IdentityType.UserAssigned && createParameters.Identity.Type != StorageModels.IdentityType.SystemAssignedUserAssigned) + { + throw new ArgumentException("UserAssignIdentityId should only be specified when AssignIdentityType is UserAssigned or SystemAssignedUserAssigned.", "UserAssignIdentityId"); + } + createParameters.Identity.UserAssignedIdentities = new Dictionary(); + createParameters.Identity.UserAssignedIdentities.Add(this.UserAssignedIdentityId, new UserAssignedIdentity()); + } } if (NetworkRuleSet != null) { @@ -517,6 +571,47 @@ public override void ExecuteCmdlet() } } } + if (this.KeyVaultUri !=null || this.KeyName != null || this.KeyVersion != null || this.KeyVaultUserAssignedIdentityId != null) + { + if ((this.KeyVaultUri != null && this.KeyName == null) || (this.KeyVaultUri == null && this.KeyName != null)) + { + throw new ArgumentException("KeyVaultUri and KeyName must be specify together"); + } + + if (this.KeyVersion != null && (this.KeyVaultUri == null || this.KeyName == null)) + { + throw new ArgumentException("KeyVersion can only be specified when specify KeyVaultUri and KeyName together.", "KeyVersion"); + } + + if (this.KeyVaultUserAssignedIdentityId != null && (this.KeyVaultUri == null || this.KeyName == null)) + { + throw new ArgumentException("KeyVaultUserAssignedIdentityId can only be specified when specify KeyVaultUri and KeyName together.", "KeyVaultUserAssignedIdentityId"); + } + + if (createParameters.Encryption == null) + { + createParameters.Encryption = new Encryption(); + createParameters.Encryption.KeySource = KeySource.MicrosoftStorage; + } + + if (createParameters.Encryption.Services is null) + { + createParameters.Encryption.Services = new EncryptionServices(); + createParameters.Encryption.Services.Blob = new EncryptionService(); + } + + if (this.KeyVaultUri != null || this.KeyName != null || this.KeyVersion != null) + { + createParameters.Encryption.KeySource = KeySource.MicrosoftKeyvault; + createParameters.Encryption.KeyVaultProperties = new KeyVaultProperties(this.KeyName, this.KeyVersion, this.KeyVaultUri); + } + + if (this.KeyVaultUserAssignedIdentityId != null) + { + createParameters.Encryption.EncryptionIdentity = new EncryptionIdentity(); + createParameters.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity = this.KeyVaultUserAssignedIdentityId; + } + } if (this.minimumTlsVersion != null) { createParameters.MinimumTlsVersion = this.minimumTlsVersion; diff --git a/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs b/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs index b00e8d6fb4bf..aa47d028d58b 100644 --- a/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs +++ b/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs @@ -177,6 +177,28 @@ public string KeyVaultUri HelpMessage = "Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.")] public SwitchParameter AssignIdentity { get; set; } + [Parameter( + Mandatory = false, + HelpMessage = "Set resource ids for the the new Storage Account user assignedd Identity, the identity will be used with key management services like Azure KeyVault.")] + [ValidateNotNull] + public string UserAssignedIdentityId { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Set resource id for user assigned Identity used to access Azure KeyVault of Storage Account Encryption, the id must in the storage account's UserAssignIdentityId.")] + [ValidateNotNull] + public string KeyVaultUserAssignedIdentityId { get; set; } + + [Parameter( + Mandatory = false, + HelpMessage = "Set the new Storage Account Identity type, the idenetity is for use with key management services like Azure KeyVault.")] + [ValidateSet(AccountIdentityType.systemAssigned, + AccountIdentityType.userAssigned, + AccountIdentityType.systemAssignedUserAssigned, + AccountIdentityType.none, + IgnoreCase = true)] + public string IdentityType { get; set; } + [Parameter(HelpMessage = "Storage Account NetworkRule", Mandatory = false)] [ValidateNotNullOrEmpty] @@ -436,19 +458,50 @@ public override void ExecuteCmdlet() updateParameters.EnableHttpsTrafficOnly = enableHttpsTrafficOnly; } - if (AssignIdentity.IsPresent) + if (AssignIdentity.IsPresent || this.UserAssignedIdentityId != null || this.IdentityType != null) { - updateParameters.Identity = new Identity() { Type = IdentityType.SystemAssigned }; + updateParameters.Identity = new Identity() { Type = StorageModels.IdentityType.SystemAssigned }; + if (this.IdentityType != null) + { + updateParameters.Identity.Type = GetIdentityTypeString(this.IdentityType); + } + if (this.UserAssignedIdentityId != null) + { + if (updateParameters.Identity.Type != StorageModels.IdentityType.UserAssigned && updateParameters.Identity.Type != StorageModels.IdentityType.SystemAssignedUserAssigned) + { + throw new ArgumentException("UserAssignIdentityId should only be specified when AssignIdentityType is UserAssigned or SystemAssignedUserAssigned.", "UserAssignIdentityId"); + } + updateParameters.Identity.UserAssignedIdentities = new Dictionary(); + updateParameters.Identity.UserAssignedIdentities.Add(this.UserAssignedIdentityId, new UserAssignedIdentity()); + + var accountProperties = this.StorageClient.StorageAccounts.GetProperties(this.ResourceGroupName, this.Name); + if (accountProperties.Identity != null && accountProperties.Identity.UserAssignedIdentities != null && accountProperties.Identity.UserAssignedIdentities.Count > 0) + { + foreach (var uid in accountProperties.Identity.UserAssignedIdentities) + { + if (!uid.Key.Equals(this.UserAssignedIdentityId, StringComparison.OrdinalIgnoreCase)) + { + updateParameters.Identity.UserAssignedIdentities.Add(uid.Key, null); + } + } + } + } } - if (StorageEncryption || (ParameterSetName == KeyvaultEncryptionParameterSet)) + if (StorageEncryption || ParameterSetName == KeyvaultEncryptionParameterSet || this.KeyVaultUserAssignedIdentityId != null) { if (ParameterSetName == KeyvaultEncryptionParameterSet) { keyvaultEncryption = true; } updateParameters.Encryption = ParseEncryption(StorageEncryption, keyvaultEncryption, KeyName, KeyVersion, KeyVaultUri); + if (this.KeyVaultUserAssignedIdentityId != null) + { + updateParameters.Encryption.EncryptionIdentity = new EncryptionIdentity(); + updateParameters.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity = this.KeyVaultUserAssignedIdentityId; + } } + if (NetworkRuleSet != null) { updateParameters.NetworkRuleSet = PSNetworkRuleSet.ParseStorageNetworkRule(NetworkRuleSet); diff --git a/src/Storage/Storage.Management/StorageAccount/StorageAccountBaseCmdlet.cs b/src/Storage/Storage.Management/StorageAccount/StorageAccountBaseCmdlet.cs index 7f589460c13b..f3dfd6c3e3c7 100644 --- a/src/Storage/Storage.Management/StorageAccount/StorageAccountBaseCmdlet.cs +++ b/src/Storage/Storage.Management/StorageAccount/StorageAccountBaseCmdlet.cs @@ -70,6 +70,14 @@ protected struct ManagementPolicyAction internal const string Delete = "Delete"; } + protected struct AccountIdentityType + { + internal const string systemAssigned = "SystemAssigned"; + internal const string userAssigned = "UserAssigned"; + internal const string systemAssignedUserAssigned = "SystemAssignedUserAssigned"; + internal const string none = "None"; + } + [Flags] public enum EncryptionSupportServiceEnum { @@ -140,5 +148,32 @@ protected void WriteStorageAccountList(IEnumerable storageAccounts.ForEach(storageAccount => output.Add(PSStorageAccount.Create(storageAccount, this.StorageClient))); WriteObject(output, true); } + + public static string GetIdentityTypeString(string inputIdentityType) + { + if (inputIdentityType == null) + { + return null; + } + + // The parameter validate set make sure the value must be systemAssigned or userAssigned or systemAssignedUserAssigned or None + if (inputIdentityType.ToLower() == AccountIdentityType.systemAssigned.ToLower()) + { + return IdentityType.SystemAssigned; + } + if (inputIdentityType.ToLower() == AccountIdentityType.userAssigned.ToLower()) + { + return IdentityType.UserAssigned; + } + if (inputIdentityType.ToLower() == AccountIdentityType.systemAssignedUserAssigned.ToLower()) + { + return IdentityType.SystemAssignedUserAssigned; + } + if (inputIdentityType.ToLower() == AccountIdentityType.none.ToLower()) + { + return IdentityType.None; + } + throw new ArgumentException("The value for AssignIdentityType is not valid, the valid value are: \"None\", \"SystemAssigned\", \"UserAssigned\", or \"SystemAssignedUserAssigned\"", "AssignIdentityType"); + } } } diff --git a/src/Storage/Storage.Management/help/New-AzStorageAccount.md b/src/Storage/Storage.Management/help/New-AzStorageAccount.md index c78c395b785a..6079cced54e2 100644 --- a/src/Storage/Storage.Management/help/New-AzStorageAccount.md +++ b/src/Storage/Storage.Management/help/New-AzStorageAccount.md @@ -17,9 +17,11 @@ Creates a Storage account. ``` New-AzStorageAccount [-ResourceGroupName] [-Name] [-SkuName] [-Location] [-Kind ] [-AccessTier ] [-CustomDomainName ] [-UseSubDomain ] - [-Tag ] [-EnableHttpsTrafficOnly ] [-AssignIdentity] [-NetworkRuleSet ] - [-EnableHierarchicalNamespace ] [-EnableAzureActiveDirectoryDomainServicesForFile ] - [-EnableLargeFileShare] [-PublishMicrosoftEndpoint ] [-PublishInternetEndpoint ] [-AsJob] + [-Tag ] [-EnableHttpsTrafficOnly ] [-AssignIdentity] [-UserAssignedIdentityId ] + [-IdentityType ] [-KeyVaultUserAssignedIdentityId ] [-KeyName ] [-KeyVersion ] + [-KeyVaultUri ] [-NetworkRuleSet ] [-EnableHierarchicalNamespace ] + [-EnableAzureActiveDirectoryDomainServicesForFile ] [-EnableLargeFileShare] + [-PublishMicrosoftEndpoint ] [-PublishInternetEndpoint ] [-AsJob] [-EncryptionKeyTypeForTable ] [-EncryptionKeyTypeForQueue ] [-RequireInfrastructureEncryption] [-SasExpirationPeriod ] [-KeyExpirationPeriodInDay ] [-AllowBlobPublicAccess ] [-MinimumTlsVersion ] [-AllowSharedKeyAccess ] [-EdgeZone ] @@ -30,16 +32,18 @@ New-AzStorageAccount [-ResourceGroupName] [-Name] [-SkuName] < ``` New-AzStorageAccount [-ResourceGroupName] [-Name] [-SkuName] [-Location] [-Kind ] [-AccessTier ] [-CustomDomainName ] [-UseSubDomain ] - [-Tag ] [-EnableHttpsTrafficOnly ] [-AssignIdentity] [-NetworkRuleSet ] - [-EnableHierarchicalNamespace ] [-EnableLargeFileShare] [-PublishMicrosoftEndpoint ] - [-PublishInternetEndpoint ] [-EnableActiveDirectoryDomainServicesForFile ] - [-ActiveDirectoryDomainName ] [-ActiveDirectoryNetBiosDomainName ] - [-ActiveDirectoryForestName ] [-ActiveDirectoryDomainGuid ] - [-ActiveDirectoryDomainSid ] [-ActiveDirectoryAzureStorageSid ] [-AsJob] - [-EncryptionKeyTypeForTable ] [-EncryptionKeyTypeForQueue ] [-RequireInfrastructureEncryption] - [-SasExpirationPeriod ] [-KeyExpirationPeriodInDay ] [-AllowBlobPublicAccess ] - [-MinimumTlsVersion ] [-AllowSharedKeyAccess ] [-EdgeZone ] - [-DefaultProfile ] [-RoutingChoice ] [] + [-Tag ] [-EnableHttpsTrafficOnly ] [-AssignIdentity] [-UserAssignedIdentityId ] + [-IdentityType ] [-KeyVaultUserAssignedIdentityId ] [-KeyName ] [-KeyVersion ] + [-KeyVaultUri ] [-NetworkRuleSet ] [-EnableHierarchicalNamespace ] + [-EnableLargeFileShare] [-PublishMicrosoftEndpoint ] [-PublishInternetEndpoint ] + [-EnableActiveDirectoryDomainServicesForFile ] [-ActiveDirectoryDomainName ] + [-ActiveDirectoryNetBiosDomainName ] [-ActiveDirectoryForestName ] + [-ActiveDirectoryDomainGuid ] [-ActiveDirectoryDomainSid ] + [-ActiveDirectoryAzureStorageSid ] [-AsJob] [-EncryptionKeyTypeForTable ] + [-EncryptionKeyTypeForQueue ] [-RequireInfrastructureEncryption] [-SasExpirationPeriod ] + [-KeyExpirationPeriodInDay ] [-AllowBlobPublicAccess ] [-MinimumTlsVersion ] + [-AllowSharedKeyAccess ] [-EdgeZone ] [-DefaultProfile ] + [-RoutingChoice ] [] ``` ## DESCRIPTION @@ -200,6 +204,39 @@ PS C:\> $$account.SasPolicy.SasExpirationPeriod This command creates a Storage account with KeyExpirationPeriod and SasExpirationPeriod, then show the created account related properties. +### Example 12: Create a Storage account with Keyvault encryption (access Keyvault with user assigned identity) +```powershell +# Create KeyVault (no need if using exist keyvault) +PS C:\> $keyVault = New-AzKeyVault -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -Location eastus2euap -EnablePurgeProtection +PS C:\> $key = Add-AzKeyVaultKey -VaultName $keyvaultName -Name $keyname -Destination 'Software' + +# create user assigned identity and grant access to keyvault (no need if using exist user assigned identity) +PS C:\> $userId = New-AzUserAssignedIdentity -ResourceGroupName $resourceGroupName -Name $userIdName +PS C:\> Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -ObjectId $userId.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation +PS C:\> $useridentityId= $userId.Id + +# create Storage account with Keyvault encryption (access Keyvault with user assigned identity), then show properties +PS C:\> $account = New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Kind StorageV2 -SkuName Standard_LRS -Location eastus2euap ` + -IdentityType SystemAssignedUserAssigned -UserAssignedIdentityId $useridentityId ` + -KeyVaultUri $keyVault.VaultUri -KeyName $keyname -KeyVaultUserAssignedIdentityId $useridentityId + +PS C:\> $account.Encryption.EncryptionIdentity + +EncryptionUserAssignedIdentity +------------------------------ +/subscriptions/{subscription-id}/resourceGroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuserid + +PS C:\> $account.Encryption.KeyVaultProperties + +KeyName : wrappingKey +KeyVersion : +KeyVaultUri : https://mykeyvault.vault.azure.net:443 +CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f +LastKeyRotationTimestamp : 4/12/2021 8:17:57 AM +``` + +This command first create a keyvault and a user assigned identity, then create a storage account with keyvault encryption (the storage access access keyvault with the user assigned identity). + ## PARAMETERS ### -AccessTier @@ -532,6 +569,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IdentityType +Set the new Storage Account Identity type, the idenetity is for use with key management services like Azure KeyVault. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: +Accepted values: SystemAssigned, UserAssigned, SystemAssignedUserAssigned, None + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -KeyExpirationPeriodInDay The Key expiration period of this account, it is accurate to days. @@ -547,6 +600,66 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -KeyName +Storage Account encryption keySource KeyVault KeyName + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KeyVaultUri +Storage Account encryption keySource KeyVault KeyVaultUri + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KeyVaultUserAssignedIdentityId +Set resource id for user assigned Identity used to access Azure KeyVault of Storage Account Encryption, the id must in UserAssignIdentityId. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KeyVersion +Storage Account encryption keySource KeyVault KeyVersion + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Kind Specifies the kind of Storage account that this cmdlet creates. The acceptable values for this parameter are: @@ -763,6 +876,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UserAssignedIdentityId +Set resource ids for the the new Storage Account user assigned Identity, the identity will be used with key management services like Azure KeyVault. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -UseSubDomain Indicates whether to enable indirect CName validation. diff --git a/src/Storage/Storage.Management/help/Set-AzStorageAccount.md b/src/Storage/Storage.Management/help/Set-AzStorageAccount.md index 9690a47a6eed..0a16783e1f4d 100644 --- a/src/Storage/Storage.Management/help/Set-AzStorageAccount.md +++ b/src/Storage/Storage.Management/help/Set-AzStorageAccount.md @@ -17,9 +17,9 @@ Modifies a Storage account. ``` Set-AzStorageAccount [-ResourceGroupName] [-Name] [-Force] [-SkuName ] [-AccessTier ] [-CustomDomainName ] [-UseSubDomain ] [-Tag ] - [-EnableHttpsTrafficOnly ] [-StorageEncryption] [-AssignIdentity] - [-NetworkRuleSet ] [-UpgradeToStorageV2] - [-EnableAzureActiveDirectoryDomainServicesForFile ] [-EnableLargeFileShare] + [-EnableHttpsTrafficOnly ] [-StorageEncryption] [-AssignIdentity] [-UserAssignedIdentityId ] + [-KeyVaultUserAssignedIdentityId ] [-IdentityType ] [-NetworkRuleSet ] + [-UpgradeToStorageV2] [-EnableAzureActiveDirectoryDomainServicesForFile ] [-EnableLargeFileShare] [-PublishMicrosoftEndpoint ] [-PublishInternetEndpoint ] [-AllowBlobPublicAccess ] [-MinimumTlsVersion ] [-AllowSharedKeyAccess ] [-SasExpirationPeriod ] [-KeyExpirationPeriodInDay ] [-AsJob] [-DefaultProfile ] @@ -31,8 +31,9 @@ Set-AzStorageAccount [-ResourceGroupName] [-Name] [-Force] [-S Set-AzStorageAccount [-ResourceGroupName] [-Name] [-Force] [-SkuName ] [-AccessTier ] [-CustomDomainName ] [-UseSubDomain ] [-Tag ] [-EnableHttpsTrafficOnly ] [-KeyvaultEncryption] -KeyName [-KeyVersion ] - -KeyVaultUri [-AssignIdentity] [-NetworkRuleSet ] [-UpgradeToStorageV2] - [-EnableAzureActiveDirectoryDomainServicesForFile ] [-EnableLargeFileShare] + -KeyVaultUri [-AssignIdentity] [-UserAssignedIdentityId ] + [-KeyVaultUserAssignedIdentityId ] [-IdentityType ] [-NetworkRuleSet ] + [-UpgradeToStorageV2] [-EnableAzureActiveDirectoryDomainServicesForFile ] [-EnableLargeFileShare] [-PublishMicrosoftEndpoint ] [-PublishInternetEndpoint ] [-AllowBlobPublicAccess ] [-MinimumTlsVersion ] [-AllowSharedKeyAccess ] [-SasExpirationPeriod ] [-KeyExpirationPeriodInDay ] [-AsJob] [-DefaultProfile ] @@ -43,7 +44,8 @@ Set-AzStorageAccount [-ResourceGroupName] [-Name] [-Force] [-S ``` Set-AzStorageAccount [-ResourceGroupName] [-Name] [-Force] [-SkuName ] [-AccessTier ] [-CustomDomainName ] [-UseSubDomain ] [-Tag ] - [-EnableHttpsTrafficOnly ] [-AssignIdentity] [-NetworkRuleSet ] + [-EnableHttpsTrafficOnly ] [-AssignIdentity] [-UserAssignedIdentityId ] + [-KeyVaultUserAssignedIdentityId ] [-IdentityType ] [-NetworkRuleSet ] [-UpgradeToStorageV2] [-EnableLargeFileShare] [-PublishMicrosoftEndpoint ] [-PublishInternetEndpoint ] -EnableActiveDirectoryDomainServicesForFile [-ActiveDirectoryDomainName ] [-ActiveDirectoryNetBiosDomainName ] @@ -230,6 +232,74 @@ PS C:\> $$account.SasPolicy.SasExpirationPeriod This command updates a Storage account with KeyExpirationPeriod and SasExpirationPeriod, then show the updated account related properties. +### Example 15: Update a Storage account to Keyvault encryption, and access Keyvault with user assigned identity +```powershell +# Create KeyVault (no need if using exist keyvault) +PS C:\> $keyVault = New-AzKeyVault -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -Location eastus2euap -EnablePurgeProtection +PS C:\> $key = Add-AzKeyVaultKey -VaultName $keyvaultName -Name $keyname -Destination 'Software' + +# create user assigned identity and grant access to keyvault (no need if using exist user assigned identity) +PS C:\> $userId = New-AzUserAssignedIdentity -ResourceGroupName $resourceGroupName -Name $userIdName +PS C:\> Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -ObjectId $userId.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation +PS C:\> $useridentityId= $userId.Id + +# Update Storage account with Keyvault encryption and access Keyvault with user assigned identity, then show properties +PS C:\> $account = Update-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName ` + -IdentityType UserAssigned -UserAssignedIdentityId $useridentityId ` + -KeyVaultUri $keyVault.VaultUri -KeyName $keyname -KeyVaultUserAssignedIdentityId $useridentityId + +PS C:\> $account.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity +/subscriptions/{subscription-id}/resourceGroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuserid + +PS C:\> $account.Encryption.KeyVaultProperties + +KeyName : wrappingKey +KeyVersion : +KeyVaultUri : https://mykeyvault.vault.azure.net:443 +CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f +LastKeyRotationTimestamp : 4/12/2021 8:17:57 AM +``` + +This command first creates a keyvault and a user assigned identity, then updates a storage account with keyvault encryption, the storage access access keyvault with the user assigned identity. + +### Example 16: Update a Keyvault encrypted Storage account, from access Keyvault with user assigned identity, to access Keyvault with system assigned identity +```powershell +# Assign System identity to the account, and give the system assigned identity acces to the keyvault +PS C:\> $account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -IdentityType SystemAssignedUserAssigned +PS C:\> Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -ObjectId $account.Identity.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation + +# Update account from access Keyvault with user assigned identity to access Keyvault with system assigned identity +$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -IdentityType SystemAssignedUserAssigned -KeyName $keyname -KeyVaultUri $keyvaultUri -KeyVaultUserAssignedIdentityId "" + +# EncryptionUserAssignedIdentity is empty, so the account access keyvault with system assigned identity +PS C:\> $account.Encryption.EncryptionIdentity + +EncryptionUserAssignedIdentity +------------------------------ + +PS C:\> $account.Encryption.KeyVaultProperties + +KeyName : wrappingKey +KeyVersion : +KeyVaultUri : https://mykeyvault.vault.azure.net:443 +CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f +LastKeyRotationTimestamp : 4/12/2021 8:17:57 AM +``` + +This command first assigns System identity to the account, and give the system assigned identity access to the keyvault; then updates the Storage account to access Keyvault with system assigned identity. + +### Example 17: Update both Keyvault and the user assigned identity to access keyvault +```powershell +# Update to another user assigned identity +PS C:\> $account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -IdentityType SystemAssignedUserAssigned -UserAssignedIdentityId $useridentity2 -KeyVaultUserAssignedIdentityId $useridentity2 + +# Update to encrypt with another keyvault +$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -KeyVaultUri $keyvaultUri2 -KeyName $keyname2 -KeyVersion $keyversion2 +``` + +This command first update the user assigned identity to access keyvault, then update the keyvault for encryption. +To update both both Keyvault and the user assigned identity, we need update with the above 2 steps. + ## PARAMETERS ### -AccessTier @@ -511,6 +581,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IdentityType +Set the new Storage Account Identity type, the idenetity is for use with key management services like Azure KeyVault. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: +Accepted values: SystemAssigned, UserAssigned, SystemAssignedUserAssigned, None + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -KeyExpirationPeriodInDay The Key expiration period of this account, it is accurate to days. @@ -572,6 +658,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -KeyVaultUserAssignedIdentityId +Set resource id for user assigned Identity used to access Azure KeyVault of Storage Account Encryption, the id must in the storage account's UserAssignIdentityId. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -KeyVersion When using Key Vault Encryption by specifying the -KeyvaultEncryption parameter, use this option to specify the URI to the Key Version. @@ -781,6 +882,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UserAssignedIdentityId +Set resource ids for the the new Storage Account user assignedd Identity, the identity will be used with key management services like Azure KeyVault. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -UseSubDomain Indicates whether to enable indirect CName validation.