Last active
December 13, 2018 18:19
-
-
Save deinarson/5bc34f104a5950412ecc22230fc27575 to your computer and use it in GitHub Desktop.
Azure's web portal is a punishment to use. This is me trying to not use it - but even then this does not work. I cant wait for microsoft to make thier examples work. If I can type this then I am sure they can find someone to place something like this in a doc.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This is meant to be use with a modified version of this | |
| # https://github.com/Azure-Samples/app-service-msi-keyvault-python | |
| API_KEYNAME= | |
| API_TOKEN= | |
| vault_name= | |
| vault_rg= | |
| vault_rg_location= | |
| web_app_name= | |
| export AZURE_CLIENT_ID= | |
| export AZURE_CLIENT_SECRET= | |
| export AZURE_CLIENT_SECRET_NAME= | |
| export KEY_VAULT_URI= | |
| export AZURE_TENANT_ID=$(az account show --query=tenantId | tr -d \" ) | |
| export AZURE_SUBSCRIPTION_ID=$(az account show --query=id| tr -d \" ) | |
| export KEY_VAULT_URI="https://${vault_name}.vault.azure.net" | |
| # Create a RG to make it easy to clean up after ( using az group delete -n "${vault_rg}" ) | |
| az group create --name "${vault_rg}" --location "${vault_rg_location}" | |
| az appservice plan create --name "${web_app_name}"-sp --resource-group "${vault_rg}" --sku B1 --is-linux | |
| az webapp create --resource-group "${vault_rg}" --plan "${web_app_name}"-sp --name "${web_app_name}" --runtime "PYTHON|3.7" --deployment-local-git | |
| az webapp identity assign --name "${web_app_name}" --resource-group "${vault_rg}" | |
| # Create vault and secrets | |
| az provider register -n Microsoft.KeyVault | |
| az keyvault create --name "${vault_name}" --resource-group "${vault_rg}" --location "${vault_rg_location}" | |
| az keyvault secret set --vault-name "${vault_name}" --name "${AZURE_CLIENT_SECRET}" --value "${AZURE_CLIENT_SECRET_NAME}" | |
| az keyvault secret set --vault-name "${vault_name}" --name "${API_KEYNAME}" --value "${API_TOKEN}" | |
| az keyvault secret list --vault-name "${vault_name}" | |
| # give app acess to secret : create an sp rbac | |
| az ad sp create-for-rbac -n "${web_app_name}" --password "${AZURE_CLIENT_SECRET}" --skip-assignment | |
| # Get the sp appId | |
| export AZURE_CLIENT_ID=$(az ad sp list | grep -v 'In a' | jq ".[] | select( .appDisplayName == \"${web_app_name}\" ) .appId" | tr -d \" ) | |
| # set key policy | |
| az keyvault set-policy --name "${vault_name}" --spn "${AZURE_CLIENT_ID}" --key-permissions decrypt sign | |
| az keyvault set-policy --name "${vault_name}" --spn "${AZURE_CLIENT_ID}" --secret-permissions get | |
| # THIS ADDS ALL OF THE VARIAB | |
| # We only really need KEY_VAULT_URI | |
| for kv in "AZURE_CLIENT_ID=${AZURE_CLIENT_ID}" \ | |
| "AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}" \ | |
| "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" \ | |
| "KEY_VAULT_URI=${KEY_VAULT_URI}" \ | |
| "AZURE_TENANT_ID=${AZURE_TENANT_ID}" | |
| do | |
| az webapp config appsettings set -g "${vault_rg}" -n "${web_app_name}" --settings $kv | |
| done | |
| echo CONFIRMING all worked | |
| az webapp config appsettings list -g "${vault_rg}" -n "${web_app_name}" | |
| # watch logs to see what is happening | |
| az webapp log tail --name ${web_app_name} --resource-group ${vault_rg} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment