@@ -1652,4 +1652,71 @@ function Test-AzureStorageAccountKeySASPolicy
16521652 # Cleanup
16531653 Clean - ResourceGroup $rgname
16541654 }
1655+ }
1656+
1657+ <#
1658+ . SYNOPSIS
1659+ Test Test-NewAzureStorageAccountUserAssignedIdentity
1660+ . DESCRIPTION
1661+ SmokeTest
1662+ #>
1663+ function Test-AzureStorageAccountUserAssignedIdentity
1664+ {
1665+ # Setup
1666+ $rgname = Get-StorageManagementTestResourceName ;
1667+
1668+ try
1669+ {
1670+ # Test
1671+ $stoname = ' sto' + $rgname ;
1672+ $stotype = ' Standard_LRS'
1673+ $loc = Get-ProviderLocation_Canary ResourceManagement;
1674+
1675+ New-AzResourceGroup - Name $rgname - Location $loc ;
1676+ Write-Output (" Resource Group created"
1677+
1678+ # create keyvault and user assigned idenity
1679+ $keyvaultName = " weiestestcanary"
1680+ $keyvaultUri = " https://$ ( $keyvaultName ) .vault.azure.net:443"
1681+ $keyname = " wrappingKey"
1682+ $useridentity = " /subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid1"
1683+ $useridentity2 = " /subscriptions/45b60d85-fd72-427a-a708-f994d26e593e/resourceGroups/weitry/providers/Microsoft.ManagedIdentity/userAssignedIdentities/weitestid2"
1684+
1685+ # $keyVault = New-AzKeyVault -VaultName $keyvaultName -ResourceGroupName $rgname -Location $loc -EnablePurgeProtection
1686+ # Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $rgname -ObjectId $servicePricipleObjectId -PermissionsToKeys backup,create,delete,get,import,get,list,update,restore
1687+ # $key = Add-AzKeyVaultKey -VaultName $keyvaultName -Name $keyname -Destination 'Software'
1688+
1689+ # $userId = New-AzUserAssignedIdentity -ResourceGroupName $rgname -Name $rgname+"userid"
1690+ # Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $rgname -ObjectId $userId.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation
1691+ # $useridentity= $userId.Id
1692+
1693+ # new account with keyvault encryption + UserAssignedIdentity
1694+ $account = New-AzStorageAccount - ResourceGroupName $rgname - Name $stoname - SkuName $stotype - Location $loc `
1695+ - UserAssignedIdentityId $useridentity - IdentityType SystemAssignedUserAssigned `
1696+ - KeyName $keyname - KeyVaultUri $keyvaultUri - KeyVaultUserAssignedIdentityId $useridentity
1697+
1698+ Assert-AreEqual " SystemAssigned,UserAssigned" $account.Identity.Type
1699+ Assert-AreEqual Microsoft.Keyvault $account.Encryption.KeySource
1700+ Assert-AreEqual $useridentity $account.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity
1701+ Assert-AreEqual $keyvaultUri $account.Encryption.KeyVaultProperties.KeyVaultUri
1702+ Assert-AreEqual $keyname $account.Encryption.KeyVaultProperties.KeyName
1703+
1704+ # update UserAssignedIdentity to another
1705+ $account = Set-AzStorageAccount - ResourceGroupName $rgname - Name $stoname `
1706+ - IdentityType UserAssigned - UserAssignedIdentityId $useridentity2 `
1707+ - KeyVaultUserAssignedIdentityId $useridentity2 - KeyName $keyname - KeyVaultUri $keyvaultUri
1708+
1709+ Assert-AreEqual " UserAssigned" $account.Identity.Type
1710+ Assert-AreEqual Microsoft.Keyvault $account.Encryption.KeySource
1711+ Assert-AreEqual $useridentity2 $account.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity
1712+ Assert-AreEqual $keyvaultUri $account.Encryption.KeyVaultProperties.KeyVaultUri
1713+ Assert-AreEqual $keyname $account.Encryption.KeyVaultProperties.KeyName
1714+
1715+ Remove-AzStorageAccount - Force - ResourceGroupName $rgname - Name $stoname ;
1716+ }
1717+ finally
1718+ {
1719+ # Cleanup
1720+ Clean - ResourceGroup $rgname
1721+ }
16551722}
0 commit comments