public string CreateManagedIdentity( string subscriptionId, string identityName) { if (HttpMockServer.Mode == HttpRecorderMode.Record) { var parameters = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity() { Location = this.GetProviderLocation("Microsoft.ManagedIdentity", "userAssignedIdentities") }; var identity = this.managedServiceIdentityClient.UserAssignedIdentities.CreateOrUpdate( this.ResourceGroupName, identityName, parameters); Assert.NotNull(identity); // Give a couple minutes for the MSI to propagate. Observed failures of principalId not being found in the tenant // when there is no wait time between MSI creation and role assignment. DeploymentManagerTestUtilities.Sleep(TimeSpan.FromMinutes(2)); var scope = "/subscriptions/" + subscriptionId; var roleDefinitionList = this.authorizationClient.RoleDefinitions.List( scope, new Microsoft.Rest.Azure.OData.ODataQuery <Microsoft.Azure.Management.Authorization.Models.RoleDefinitionFilter>("roleName eq 'Contributor'")); var roleAssignmentName = Guid.NewGuid().ToString(); var roleAssignmentParameters = new Microsoft.Azure.Management.Authorization.Models.RoleAssignmentCreateParameters() { PrincipalId = identity.PrincipalId.ToString(), RoleDefinitionId = roleDefinitionList.First().Id, CanDelegate = false }; var roleAssignment = this.authorizationClient.RoleAssignments.Create( scope, roleAssignmentName, roleAssignmentParameters); Assert.NotNull(roleAssignment); // Add additional wait time after role assignment to propagate permissions. Observed // no permissions to modify resource group errors without wait time. DeploymentManagerTestUtilities.Sleep(TimeSpan.FromMinutes(1)); roleAssignment = this.authorizationClient.RoleAssignments.Get( scope, roleAssignmentName); Assert.NotNull(roleAssignment); return(identity.Id); } return("dummyIdentity"); }
/// <summary> /// Create user-assigned managed identity. /// </summary> /// <param name="resourceGroupName"></param> /// <param name="msiName"></param> /// <param name="location"></param> /// <returns></returns> public Identity CreateManagedIdentity( string resourceGroupName, string msiName, string location) { var createParams = new Identity { Location = location }; return(identityManagementClient.UserAssignedIdentities.CreateOrUpdate(resourceGroupName, msiName, createParams)); }
public override void ExecuteCmdlet() { base.ExecuteCmdlet(); if (this.ShouldProcess(Name, string.Format(CultureInfo.CurrentCulture, Properties.Resources.NewUserAssignedIdentity_ProcessMessage, this.ResourceGroupName, this.Name))) { var tagsDictionary = this.Tag?.Cast <DictionaryEntry>() .ToDictionary(ht => (string)ht.Key, ht => (string)ht.Value); var location = GetLocation(); Identity identityProperties = new Identity(location: location, tags: tagsDictionary); var result = this.MsiClient.UserAssignedIdentities .CreateOrUpdateWithHttpMessagesAsync( this.ResourceGroupName, this.Name, identityProperties).GetAwaiter().GetResult(); WriteIdentity(result.Body); } }
public void SetupUserAssignedMsiTests() { Environment.SetEnvironmentVariable("AZURE_TEST_MODE", "Playback"); using (MockContext context = MockContext.Start(this.GetType())) { var testBase = new ApiManagementTestBase(context); string consumptionSkuRegion = "West US"; // create user assigned identity var parameters = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity() { Location = consumptionSkuRegion }; var userAssignedResponse = testBase.managedIdentityClient.UserAssignedIdentities.CreateOrUpdateWithHttpMessagesAsync( testBase.rgName, testBase.serviceName, parameters).GetAwaiter().GetResult(); Assert.NotNull(userAssignedResponse); var userAssigned = userAssignedResponse.Body; Assert.NotNull(userAssigned.PrincipalId); Assert.NotNull(userAssigned.TenantId); // setup MSI on Consumption SKU testBase.serviceProperties.Location = consumptionSkuRegion; testBase.serviceProperties.Sku = new ApiManagementServiceSkuProperties(SkuType.Consumption, capacity: 0); testBase.serviceProperties.Identity = new ApiManagementServiceIdentity("UserAssigned") { UserAssignedIdentities = new Dictionary <string, Components16nk615schemasapimanagementserviceidentitypropertiesuserassignedidentitiesadditionalproperties>() { { userAssignedResponse.Body.Id, new Components16nk615schemasapimanagementserviceidentitypropertiesuserassignedidentitiesadditionalproperties(userAssigned.PrincipalId.ToString(), userAssigned.ClientId.ToString()) } } }; var createdService = testBase.client.ApiManagementService.CreateOrUpdate( resourceGroupName: testBase.rgName, serviceName: testBase.serviceName, parameters: testBase.serviceProperties); ValidateService(createdService, testBase.serviceName, testBase.rgName, testBase.subscriptionId, consumptionSkuRegion, testBase.serviceProperties.PublisherEmail, testBase.serviceProperties.PublisherName, testBase.serviceProperties.Sku.Name, testBase.tags); Assert.NotNull(createdService.Identity); Assert.NotNull(createdService.Identity.Type); Assert.Equal("UserAssigned", createdService.Identity.Type); Assert.NotNull(createdService.Identity.UserAssignedIdentities); Assert.Equal(1, createdService.Identity.UserAssignedIdentities.Count); Assert.Equal(userAssigned.PrincipalId.ToString(), createdService.Identity.UserAssignedIdentities.First().Value.PrincipalId); Assert.Equal(userAssigned.Id.ToString(), createdService.Identity.UserAssignedIdentities.First().Key); // Delete testBase.client.ApiManagementService.Delete( resourceGroupName: testBase.rgName, serviceName: testBase.serviceName); Assert.Throws <ErrorResponseException>(() => { testBase.client.ApiManagementService.Get( resourceGroupName: testBase.rgName, serviceName: testBase.serviceName); }); } }
public void NamespaceBYOKCreateGetUpdateDelete() { using (MockContext context = MockContext.Start(this.GetType())) { InitializeClients(context); var location = "West US 2"; var resourceGroup = string.Empty; var keyVaultName = "SDKTestingKey1"; var KeyName = "sdktestingkey11"; var KeyName2 = "sdktestingkey12"; var KeyName3 = "sdktestingkey13"; var resourceGroupCluster = EventHubManagementHelper.ResourceGroupCluster; var identityName1 = TestUtilities.GenerateName(EventHubManagementHelper.IdentityPrefix); var identityName2 = TestUtilities.GenerateName(EventHubManagementHelper.IdentityPrefix); if (string.IsNullOrWhiteSpace(resourceGroup)) { resourceGroup = TestUtilities.GenerateName(EventHubManagementHelper.ResourceGroupPrefix); this.ResourceManagementClient.TryRegisterResourceGroup(location, resourceGroup); } var namespaceName = TestUtilities.GenerateName(EventHubManagementHelper.NamespacePrefix); var namespaceName2 = TestUtilities.GenerateName(EventHubManagementHelper.NamespacePrefix); try { var checkNameAvailable = EventHubManagementClient.Namespaces.CheckNameAvailability(namespaceName); //Create Namespace with System Assigned Identity //---------------------------------------------------- var createNamespaceResponse = this.EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, new EHNamespace() { Location = location, Sku = new Microsoft.Azure.Management.EventHub.Models.Sku { Name = Microsoft.Azure.Management.EventHub.Models.SkuName.Premium, Tier = SkuTier.Premium }, Tags = new Dictionary <string, string>() { { "tag1", "value1" }, { "tag2", "value2" } }, IsAutoInflateEnabled = false, MaximumThroughputUnits = 0, Identity = new Identity() { Type = ManagedServiceIdentityType.SystemAssigned } }); Assert.NotNull(createNamespaceResponse); Assert.Equal(namespaceName, createNamespaceResponse.Name); Assert.False(createNamespaceResponse.IsAutoInflateEnabled); Assert.Equal(0, createNamespaceResponse.MaximumThroughputUnits); Assert.Equal(ManagedServiceIdentityType.SystemAssigned, createNamespaceResponse.Identity.Type); //---------------------------------------------------------------------- TestUtilities.Wait(TimeSpan.FromSeconds(5)); //Remove System Assigned Identity from namespace //----------------------------------------------- createNamespaceResponse.Identity = new Identity() { Type = ManagedServiceIdentityType.None }; createNamespaceResponse = EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, createNamespaceResponse); Assert.NotNull(createNamespaceResponse); Assert.Equal(namespaceName, createNamespaceResponse.Name); Assert.False(createNamespaceResponse.IsAutoInflateEnabled); Assert.Equal(0, createNamespaceResponse.MaximumThroughputUnits); Assert.Null(createNamespaceResponse.Identity); //------------------------------------------------ //ReEnable System assigned identity and later enable encryption //-------------------------------------------------- createNamespaceResponse.Identity = new Identity() { Type = ManagedServiceIdentityType.SystemAssigned }; createNamespaceResponse = EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, createNamespaceResponse); Assert.NotNull(createNamespaceResponse); Assert.Equal(namespaceName, createNamespaceResponse.Name); Assert.False(createNamespaceResponse.IsAutoInflateEnabled); Assert.Equal(0, createNamespaceResponse.MaximumThroughputUnits); Assert.Equal(ManagedServiceIdentityType.SystemAssigned, createNamespaceResponse.Identity.Type); //-------------------------------------------------- //Give Key Vault Permissions to namespace to set system assigned encryption //--------------------------------------------------- Microsoft.Azure.Management.KeyVault.Models.VaultCreateOrUpdateParameters vaultparams = new Microsoft.Azure.Management.KeyVault.Models.VaultCreateOrUpdateParameters(); var accesPolicies = new Microsoft.Azure.Management.KeyVault.Models.AccessPolicyEntry() { ObjectId = createNamespaceResponse.Identity.PrincipalId, TenantId = Guid.Parse(createNamespaceResponse.Identity.TenantId), Permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions() { Keys = new List <string> { "get", "wrapKey", "unwrapKey" } } }; Vault getVaultRsponse = KeyVaultManagementClient.Vaults.Get(resourceGroupCluster, keyVaultName); vaultparams = new VaultCreateOrUpdateParameters(getVaultRsponse.Location, getVaultRsponse.Properties); vaultparams.Properties.AccessPolicies.Add(accesPolicies); var updateVault = KeyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupCluster, keyVaultName, vaultparams); TestUtilities.Wait(TimeSpan.FromSeconds(5)); // Encrypt data in Event Hub namespace Customer managed key from keyvault var getNamespaceResponse = EventHubManagementClient.Namespaces.Get(resourceGroup, namespaceName); getNamespaceResponse.Encryption = new Encryption() { KeySource = KeySource.MicrosoftKeyVault, KeyVaultProperties = new[] { new KeyVaultProperties() { KeyName = KeyName, KeyVaultUri = updateVault.Properties.VaultUri, KeyVersion = "" } } }; var updateNamespaceResponse = this.EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, getNamespaceResponse); Assert.Equal(1, updateNamespaceResponse.Encryption.KeyVaultProperties.Count); Assert.Equal(KeyName, updateNamespaceResponse.Encryption.KeyVaultProperties[0].KeyName); Assert.Equal(updateVault.Properties.VaultUri, updateNamespaceResponse.Encryption.KeyVaultProperties[0].KeyVaultUri + "/"); //------------------------------------------------------------- Vault getVaultRsponse1 = KeyVaultManagementClient.Vaults.Get(resourceGroupCluster, keyVaultName); vaultparams = new VaultCreateOrUpdateParameters(getVaultRsponse.Location, getVaultRsponse.Properties); vaultparams.Properties.AccessPolicies.Remove(accesPolicies); var updateVault1 = KeyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupCluster, keyVaultName, vaultparams); TestUtilities.Wait(TimeSpan.FromSeconds(5)); //Create User Assigned Identities and give permissions to access keyvault //---------------------------------------------------------------- Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity identity1 = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity() { Location = "westus" }; Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity identity2 = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity() { Location = "westus" }; var userAssignedIdentity1 = IdentityManagementClient.UserAssignedIdentities.CreateOrUpdate(resourceGroup, identityName1, identity1); var userAssignedIdentity2 = IdentityManagementClient.UserAssignedIdentities.CreateOrUpdate(resourceGroup, identityName2, identity2); var accessPolicies = new Microsoft.Azure.Management.KeyVault.Models.AccessPolicyEntry() { ObjectId = userAssignedIdentity1.PrincipalId.ToString(), TenantId = (Guid)userAssignedIdentity1.TenantId, Permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions() { Keys = new List <string> { "get", "wrapKey", "unwrapKey" } } }; var accessPolicies2 = new Microsoft.Azure.Management.KeyVault.Models.AccessPolicyEntry() { ObjectId = userAssignedIdentity2.PrincipalId.ToString(), TenantId = (Guid)userAssignedIdentity2.TenantId, Permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions() { Keys = new List <string> { "get", "wrapKey", "unwrapKey" } } }; getVaultRsponse = KeyVaultManagementClient.Vaults.Get(resourceGroupCluster, keyVaultName); vaultparams = new VaultCreateOrUpdateParameters(getVaultRsponse.Location, getVaultRsponse.Properties); vaultparams.Properties.AccessPolicies.Add(accessPolicies); vaultparams.Properties.AccessPolicies.Add(accessPolicies2); updateVault = KeyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupCluster, keyVaultName, vaultparams); //-------------------------------------------------------- TestUtilities.Wait(TimeSpan.FromSeconds(5)); //Enable User Assigned Identity Encryption //--------------------------------------------- createNamespaceResponse = this.EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName2, new EHNamespace() { Location = location, Sku = new Microsoft.Azure.Management.EventHub.Models.Sku { Name = Microsoft.Azure.Management.EventHub.Models.SkuName.Premium, Tier = SkuTier.Premium }, Identity = new Identity() { Type = ManagedServiceIdentityType.UserAssigned, UserAssignedIdentities = new Dictionary <string, UserAssignedIdentity>() { { userAssignedIdentity1.Id, new UserAssignedIdentity() }, { userAssignedIdentity2.Id, new UserAssignedIdentity() } }, }, Encryption = new Encryption() { KeySource = KeySource.MicrosoftKeyVault, KeyVaultProperties = new List <KeyVaultProperties> { new KeyVaultProperties() { KeyName = KeyName2, KeyVaultUri = updateVault.Properties.VaultUri, KeyVersion = "", Identity = new UserAssignedIdentityProperties() { UserAssignedIdentity = userAssignedIdentity1.Id } }, new KeyVaultProperties() { KeyName = KeyName3, KeyVaultUri = updateVault.Properties.VaultUri, KeyVersion = "", Identity = new UserAssignedIdentityProperties() { UserAssignedIdentity = userAssignedIdentity1.Id } } } } } ); Assert.Equal(ManagedServiceIdentityType.UserAssigned, createNamespaceResponse.Identity.Type); Assert.Equal(2, createNamespaceResponse.Encryption.KeyVaultProperties.Count); Assert.Equal(KeyName2, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyName); Assert.Equal(KeyName3, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyName); Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyVaultUri + "/"); Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyVaultUri + "/"); Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[0].Identity.UserAssignedIdentity); Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[1].Identity.UserAssignedIdentity); Assert.Equal(2, createNamespaceResponse.Identity.UserAssignedIdentities.Count); //------------------------------------------------------------------------------------- //Test if identity can be set to System and User assigned. //--------------------------------------------------------------------------------- createNamespaceResponse.Identity.Type = ManagedServiceIdentityType.SystemAssignedUserAssigned; createNamespaceResponse = EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName2, createNamespaceResponse); Assert.Equal(ManagedServiceIdentityType.SystemAssignedUserAssigned, createNamespaceResponse.Identity.Type); Assert.Equal(2, createNamespaceResponse.Encryption.KeyVaultProperties.Count); Assert.Equal(KeyName2, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyName); Assert.Equal(KeyName3, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyName); Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyVaultUri + "/"); Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyVaultUri + "/"); Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[0].Identity.UserAssignedIdentity); Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[1].Identity.UserAssignedIdentity); Assert.Equal(2, createNamespaceResponse.Identity.UserAssignedIdentities.Count); //---------------------------------------------------------------------------------- } finally { this.EventHubManagementClient.Namespaces.DeleteAsync(resourceGroup, namespaceName, default(CancellationToken)).ConfigureAwait(false); this.EventHubManagementClient.Namespaces.DeleteAsync(resourceGroup, namespaceName2, default(CancellationToken)).ConfigureAwait(false); //Delete Resource Group this.ResourceManagementClient.ResourceGroups.DeleteWithHttpMessagesAsync(resourceGroup, null, default(CancellationToken)).ConfigureAwait(false); Console.WriteLine("End of EH2018 Namespace CRUD IPFilter Rules test"); } } }