Skip to main content
Version: v0.4.3

Azure Security

This module provides the following capabilities:

Installation

To have access to the following features, you have to import the module:

PS> Import-Module -Name Arcus.Scripting.Security -RequiredVersion 0.4.3

Removing resource locks from an Azure resource group

In some deployments resource-locks are being assigned. To help in removing these quickly, we have provided you with a function that removes all the existing locks on the resource group.

While this seems dangerous, only users with sufficient access rights are allowed to delete locks.

ParameterMandatoryDescription
ResourceGroupNameyesThe name of the resource group where the locks should be removed
LockNamenoThe optional name of the lock to remove. When this is not provided, all the locks will be removed

Usage

When you want to remove all the resource locks, no matter what the name or the sub-location:

PS> Remove-AzResourceGroupLocks -ResourceGroupName "your-resource-group-name"
# Retrieving all locks in resourceGroup 'your-resource-group-name'
# Start removing all locks in resourceGroup 'your-resource-group-name'
# All locks in resourceGroup 'your-resource-group-name' have been removed

When you want to remove a specific resource lock, with a given name:

PS> Remove-AzResourceGroupLocks -ResourceGroupName "your-resource-group-name" -LockName "your-resource-lock-name"
# Retrieving all locks in resourceGroup 'your-resource-group-name' with name 'your-resource-lock-name'
# Start removing all locks in resourceGroup 'your-resource-group-name'
# All locks in resourceGroup 'your-resource-group-name' have been removed

Retrieving the current Az Access token

When you want to make use of the REST-API's made available to manage Azure Resources, you can use this command to easily retrieve the access-token which is stored in your cache after performing the Connect-AzAccount command.

ParameterMandatoryDescription
AssignGlobalVariablesnoSwitch - default value: false
When you want the global variables access_token and subscriptionId assigned for easy access.

Usage

When you want to retrieve the current access-token, after connecting to a specific subscription:

PS> $token = Get-AzCachedAccessToken
# AccessToken and subscriptionId retrieved
PS> Write-Host "Current SubscriptionId:" $token.SubscriptionId
# Current SubscriptionId: b1a8131b-35fb-4d49-b77b-11abd21c9dcb
PS> Write-Host "Current AccessToken:" $token.AccessToken
# Current AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

When you want to retrieve the current access-token, after connecting to a specific subscription and assign them to global variables for easy access:

PS> $token = Get-AzCachedAccessToken -AssignGlobalVariables
# AccessToken and subscriptionId retrieved
PS> Write-Host "Current SubscriptionId:" $Global:subscriptionId
# Current SubscriptionId: b1a8131b-35fb-4d49-b77b-11abd21c9dcb
PS> Write-Host "Current AccessToken:" $Global:accessToken
# Current AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Granting a resource access to all resources within a specific resource group

In some cases, a resource needs to be granted access to all resources present within a specific resource group.
This function allows you to assign an Azure built-in role to a resource upon a resource group.

ParameterMandatoryDescription
TargetResourceGroupNameyesThe name of the resource group to which access should be granted.
ResourceGroupNameyesThe name of the resource group where the resource is located which should be granted access.
ResourceNameyesThe name of the resource which should be granted access.
RoleDefinitionNameyesThe name of the role to assign.

Usage

PS> New-AzResourceGroupRoleAssignment -TargetResourceGroupName "to-gain-access-resource-group" -ResourceGroupName "to-assign-role-resource-group" -ResourceName "to-assign-resource" -RoleAssignmentDefinition "Contributor"
# Assigning Contributor-rights to the 'to-assign-role-resource' in the resource group 'to-assign-resource-group to gain access to the 'to-gain-access-resource-group'
# Contributor access granted!