Last active
May 4, 2021 21:34
-
-
Save vermashi/7f3544a911cf0ed75d6b32b562b77237 to your computer and use it in GitHub Desktop.
Retrieve Encryption key via secret URL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Param( | |
| [Parameter(Mandatory = $true, | |
| HelpMessage="URL to the secret stored in the keyvault")] | |
| [ValidateNotNullOrEmpty()] | |
| [string]$secretUrl, | |
| [Parameter(Mandatory = $false, | |
| HelpMessage="URL to the KEK")] | |
| [ValidateNotNullOrEmpty()] | |
| [string]$kekUrl, | |
| [Parameter(Mandatory = $true, | |
| HelpMessage="Location where the retrieved secret should be written to")] | |
| [ValidateNotNullOrEmpty()] | |
| [string]$secretFilePath | |
| ) | |
| #Login-AzureRmAccount; | |
| #Install Active directory module | |
| Install-Module -Name MSOnline; | |
| #Get current logged in user and active directory tenant details | |
| $ctx = Get-AzureRmContext; | |
| $adTenant = $ctx.Tenant.Id; | |
| $currentUser = $ctx.Account.Id | |
| #Parse the secret URL | |
| $secretUri = [System.Uri] $secretUrl; | |
| #Retrieve keyvault name, secret name and secret version from secret URL | |
| $keyVaultName = $secretUri.Host.Split('.')[0]; | |
| $secretName = $secretUri.Segments[2].TrimEnd('/'); | |
| $secretVersion = $secretUri.Segments[3].TrimEnd('/'); | |
| #Set permissions for the current user to unwrap keys and retrieve secrets from KeyVault | |
| Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -PermissionsToKeys unwrapKey -PermissionsToSecrets get -UserPrincipalName $currentUser; | |
| #Retrieve secret from KeyVault secretUrl | |
| $keyVaultSecret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $secretName -Version $secretVersion; | |
| $secretBase64 = $keyVaultSecret.SecretValueText; | |
| #Unwrap secret if the secret is wrapped with KEK | |
| if($kekUrl) | |
| { | |
| ######################################################################################################################## | |
| # Initialize ADAL libraries and get authentication context required to make REST API called against KeyVault REST APIs. | |
| ######################################################################################################################## | |
| # Set well-known client ID for AzurePowerShell | |
| $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" | |
| # Set redirect URI for Azure PowerShell | |
| $redirectUri = "urn:ietf:wg:oauth:2.0:oob" | |
| # Set Resource URI to Azure Service Management API | |
| $resourceAppIdURI = "https://vault.azure.net" | |
| # Set Authority to Azure AD Tenant | |
| $authority = "https://login.windows.net/$adTenant" | |
| # Create Authentication Context tied to Azure AD Tenant | |
| $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority | |
| # Acquire token | |
| $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $redirectUri, "Auto") | |
| # Generate auth header | |
| $authHeader = $authResult.CreateAuthorizationHeader() | |
| # Set HTTP request headers to include Authorization header | |
| $headers = @{'x-ms-version'='2014-08-01';"Authorization" = $authHeader} | |
| ######################################################################################################################## | |
| # 1. Retrieve the secret from KeyVault | |
| # 2. If Kek is not NULL, unwrap the secret with Kek by making KeyVault REST API call | |
| # 3. Convert Base64 string to bytes and write to the BEK file | |
| ######################################################################################################################## | |
| #Call KeyVault REST API to Unwrap | |
| $jsonObject = @" | |
| { | |
| "alg": "RSA-OAEP", | |
| "value" : "$secretBase64" | |
| } | |
| "@ | |
| $unwrapKeyRequestUrl = $kekUrl+ "/unwrapkey?api-version=2015-06-01"; | |
| $result = Invoke-RestMethod -Method POST -Uri $unwrapKeyRequestUrl -Headers $headers -Body $jsonObject -ContentType "application/json"; | |
| #Convert Base64Url string returned by KeyVault unwrap to Base64 string | |
| $secretBase64 = $result.value; | |
| } | |
| $secretBase64 = $secretBase64.Replace('-', '+'); | |
| $secretBase64 = $secretBase64.Replace('_', '/'); | |
| if($secretBase64.Length %4 -eq 2) | |
| { | |
| $secretBase64+= '=='; | |
| } | |
| elseif($secretBase64.Length %4 -eq 3) | |
| { | |
| $secretBase64+= '='; | |
| } | |
| if($secretFilePath) | |
| { | |
| $bekFileBytes = [System.Convert]::FromBase64String($secretBase64); | |
| [System.IO.File]::WriteAllBytes($secretFilePath,$bekFileBytes); | |
| } |
Hi, try running the using a path that the user has access to (C:\Users<Your User Folder>\Documents) or run the script as an administrator.
Line 37 strips away existing additional rights against the key and then you can't access the key later without re-adding LIST.
Recommend fixing this to first check if existing GET access already exists.
kaivan2812, mention the file name along with the path 'C:\BEK\filename.BEK' that should resolve the access denied error.
Was running the command and kept coming into an error, turns out I typed in retrieve but the article says "retreive", so spelling just needs to be fixed on this.
This doesn't work anymore as the msonline modules got updated.
At line 62: It says Acquiretoken method is not there.
Also, can we update this to the Az modules as AzureRM is being deprecated.
I did some own customize and it works now
https://gist.github.com/killejay/49bf07e94baecc1e409d620822ae79cc
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Exception calling "WriteAllBytes" with "2" argument(s): "Access to the path 'C:\BEK' is denied."
At C:\Script\RetreiveEncryptionSecretViaUrl.ps1:103 char:5