Octopus.Script exported 2018-04-17 by nshenoy belongs to ‘Azure’ category.
Imports a certificate from Azure Key Vault to the tentacle
Parameters
When steps based on the template are included in a project’s deployment process, the parameters below can be set.
Azure Service Principal SubscriptionId
Azure.GetKeyVaultCertificate.SubscriptionId =
Azure SubscriptionId for the Service Principal account
Azure Active Directory Tenant Id
Azure.GetKeyVaultCertificate.TenantId =
The Azure Active Directory Tenant Id associated with the Service Principal account
Azure Service Principal Client Id
Azure.GetKeyVaultCertificate.ClientId =
The Client Id associated with the Service Principal account
Azure Service Principal Password
Azure.GetKeyVaultCertificate.Password =
The password or “key” for the Service Principal account
Key Vault Name
Azure.GetKeyVaultCertificate.KeyVaultName =
The name of the Azure Key Vault
Certificate Name
Azure.GetKeyVaultCertificate.CertificateName =
The name of the certificate to retrieve from the Key Vault
Certificate Version
Azure.GetKeyVaultCertificate.CertificateVersion = latest
[Optional] Enter the specific version of the certificate. Defaults to latest.
Certificate Store Name
Azure.GetKeyVaultCertificate.CertificateStoreName =
Certificate store name. E.g. My
Certificate Store Location
Azure.GetKeyVaultCertificate.CertificateStoreLocation =
Certificate store location. E.g. “LocalMachine”
Certificate Friendly Name
Azure.GetKeyVaultCertificate.CertificateFriendlyName =
[Optional] A friendly name to give the certificate when importing. E.g. Client Auth Cert for FooService
Script body
Steps based on this template will execute the following PowerShell script.
Import-Module AzureRM.Profile
Import-Module AzureRM.KeyVault
Function Validate-Parameter($parameterValue, [string[]]$validInput, $parameterName) {
Write-Host "${parameterName}: ${parameterValue}"
if (! $parameterValue) {
throw "$parameterName cannot be empty, please specify a value"
}
}
Function Install-AzureKeyVaultCertificate {
Param(
[string]$keyVaultName,
[string]$certificateName,
[string]$certificateVersion,
[string]$certificateStoreName,
[string]$certificateStoreLocation,
[string]$certificateFriendlyName
)
Write-Output "Retrieving '$certificateName' from '$keyVaultName' ..."
$getSecretParams = @{
VaultName = $keyVaultName
Name = $certificateName
}
if($certificateVersion -notmatch "latest") {
$getSecretParams["Version"] = $certificateVersion
}
$cert = Get-AzureKeyVaultSecret @getSecretParams
$b64 = [System.Convert]::FromBase64String($cert.SecretValueText)
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($b64, "", "MachineKeySet,PersistKeySet")
Write-Output "Certificate information:"
Write-Output ($pfx | fl | Out-String)
$certPath = "Cert:\$certificateStoreLocation\$certificateStoreName\$($pfx.Thumbprint)"
if (Test-Path $certPath) {
"A certificate with thumbprint '$($pfx.Thumbprint)' appears to already exist in the certificate store. Skipping..."
}
else {
Write-Output "Opening certificate store '$certificateStoreName' in '$certificateStoreLocation' ..."
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certificateStoreName, $certificateStoreLocation)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
if($certificateFriendlyName) {
Write-Output "Setting certificate friendly name to '$certificateFriendlyName'..."
$pfx.FriendlyName = $certificateFriendlyName
}
Write-Output "Adding certificate..."
$store.Add($pfx)
$store.Close()
Write-Output "Certificate added."
Write-Output "Verifying - searching certificate store for thumbprint '$($pfx.Thumbprint)'..."
if (Test-Path $certPath) {
Write-Output "Certificate is successfully imported!"
}
else {
Write-Error "ERROR: Certificate with thumbprint '$($pfx.Thumbprint)' was not found in certificate store '$certificateStoreName' in '$certificateStoreLocation'"
}
}
}
$azureSubscriptionId = $OctopusParameters['Azure.GetKeyVaultCertificate.SubscriptionId']
$azureTenantId = $OctopusParameters['Azure.GetKeyVaultCertificate.TenantId']
$azureClientId = $OctopusParameters['Azure.GetKeyVaultCertificate.ClientId']
$azurePassword = $OctopusParameters['Azure.GetKeyVaultCertificate.Password']
$keyVaultName = $OctopusParameters['Azure.GetKeyVaultCertificate.KeyVaultName']
$certificateName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateName']
$certificateVersion = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateVersion']
$certificateStoreName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreName']
$certificateStoreLocation = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreLocation']
$certificateFriendlyName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateFriendlyName']
# Validate that all parameters have values
Write-Output "Validating parameters..."
Validate-Parameter $azureSubscriptionId -parameterName "azureSubscriptionId"
Validate-Parameter $azureTenantId -parameterName "azureTenantId"
Validate-Parameter $azureClientId -parameterName "azureClientId"
Validate-Parameter $azurePassword -parameterName "azurePassword"
Validate-Parameter $keyVaultName -parameterName "keyVaultName"
Validate-Parameter $certificateName -parameterName "certificateName"
Validate-Parameter $certificateVersion -parameterName "certificateVersion"
Validate-Parameter $certificateStoreName -parameterName "certificateStoreName"
Validate-Parameter $certificateStoreLocation -parameterName "certificateStoreLocation"
$azureCreds = New-Object System.Management.Automation.PSCredential($azureClientId, (ConvertTo-SecureString -String $azurePassword -AsPlainText -Force))
Login-AzureRmAccount -ServicePrincipal -SubscriptionId $azureSubscriptionId -TenantId $azureTenantId -Credential $azureCreds
$params = @{
keyVaultName = $keyVaultName
certificateName = $certificateName
certificateVersion = $certificateVersion
certificateStoreName = $certificateStoreName
certificateStoreLocation = $certificateStoreLocation
certificateFriendlyName = $certificateFriendlyName
}
Install-AzureKeyVaultCertificate @params
Provided under the Apache License version 2.0.
To use this template in Octopus Deploy, copy the JSON below and paste it into the Library → Step templates → Import dialog.
{
"Id": "e06e7e2a-5510-4b6d-bd46-22d3bc01291d",
"Name": "Import Certificate from Azure Key Vault",
"Description": "Imports a certificate from Azure Key Vault to the tentacle",
"Version": 5,
"ExportedAt": "2018-04-17T20:24:57.757Z",
"ActionType": "Octopus.Script",
"Author": "nshenoy",
"Parameters": [
{
"Id": "70c9f9dd-22b6-4285-8d8a-f64278de0dc1",
"Name": "Azure.GetKeyVaultCertificate.SubscriptionId",
"Label": "Azure Service Principal SubscriptionId",
"HelpText": "Azure SubscriptionId for the Service Principal account",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
},
{
"Id": "9a421884-0f63-417e-b2a9-b1039a1e8bf8",
"Name": "Azure.GetKeyVaultCertificate.TenantId",
"Label": "Azure Active Directory Tenant Id",
"HelpText": "The Azure Active Directory Tenant Id associated with the Service Principal account",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
},
{
"Id": "bfb4a0a1-dab2-4c8f-bcb8-51033c35f633",
"Name": "Azure.GetKeyVaultCertificate.ClientId",
"Label": "Azure Service Principal Client Id",
"HelpText": "The Client Id associated with the Service Principal account",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
},
{
"Id": "49857bcc-f3a1-4984-a2b1-ddeeca52114a",
"Name": "Azure.GetKeyVaultCertificate.Password",
"Label": "Azure Service Principal Password",
"HelpText": "The password or \"key\" for the Service Principal account",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Sensitive"
},
"Links": {}
},
{
"Id": "220d17f6-070c-4a3d-b742-205d56b27f47",
"Name": "Azure.GetKeyVaultCertificate.KeyVaultName",
"Label": "Key Vault Name",
"HelpText": "The name of the Azure Key Vault",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
},
{
"Id": "930e6703-3df4-40bb-b3ae-6d367bf5cc5d",
"Name": "Azure.GetKeyVaultCertificate.CertificateName",
"Label": "Certificate Name",
"HelpText": "The name of the certificate to retrieve from the Key Vault",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
},
{
"Id": "b3616901-a27a-4960-984c-59b2388b243e",
"Name": "Azure.GetKeyVaultCertificate.CertificateVersion",
"Label": "Certificate Version",
"HelpText": "_[Optional]_ Enter the specific version of the certificate. Defaults to `latest`.",
"DefaultValue": "latest",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
},
{
"Id": "840f8939-4d87-42c7-9d6e-232d4617b90f",
"Name": "Azure.GetKeyVaultCertificate.CertificateStoreName",
"Label": "Certificate Store Name",
"HelpText": "Certificate store name. E.g. `My`",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Select",
"Octopus.SelectOptions": "My|My\nCertificateAuthority|CertificateAuthority\nRoot|Root\nTrustedPeople|TrustedPeople\nTrustedPublisher|TrustedPublisher"
},
"Links": {}
},
{
"Id": "15916c8a-709b-4f14-af36-63ee5d3265e9",
"Name": "Azure.GetKeyVaultCertificate.CertificateStoreLocation",
"Label": "Certificate Store Location",
"HelpText": "Certificate store location. E.g. \"LocalMachine\"",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Select",
"Octopus.SelectOptions": "LocalMachine|LocalMachine\nCurrentUser|CurrentUser"
},
"Links": {}
},
{
"Id": "3915f38e-947f-4313-b207-4e88b5f63969",
"Name": "Azure.GetKeyVaultCertificate.CertificateFriendlyName",
"Label": "Certificate Friendly Name",
"HelpText": "_[Optional]_ A friendly name to give the certificate when importing. E.g. `Client Auth Cert for FooService`",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
},
"Links": {}
}
],
"Properties": {
"Octopus.Action.Script.ScriptSource": "Inline",
"Octopus.Action.Script.Syntax": "PowerShell",
"Octopus.Action.Script.ScriptBody": "Import-Module AzureRM.Profile\nImport-Module AzureRM.KeyVault\n\nFunction Validate-Parameter($parameterValue, [string[]]$validInput, $parameterName) {\n Write-Host \"${parameterName}: ${parameterValue}\"\n if (! $parameterValue) {\n throw \"$parameterName cannot be empty, please specify a value\"\n }\n}\n\nFunction Install-AzureKeyVaultCertificate {\n Param(\n [string]$keyVaultName,\n [string]$certificateName,\n [string]$certificateVersion,\n [string]$certificateStoreName,\n [string]$certificateStoreLocation,\n [string]$certificateFriendlyName\n )\n \n Write-Output \"Retrieving '$certificateName' from '$keyVaultName' ...\"\n $getSecretParams = @{\n \tVaultName = $keyVaultName\n Name = $certificateName\n }\n\n\tif($certificateVersion -notmatch \"latest\") {\n $getSecretParams[\"Version\"] = $certificateVersion\n }\n \n\t$cert = Get-AzureKeyVaultSecret @getSecretParams\n $b64 = [System.Convert]::FromBase64String($cert.SecretValueText)\n $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($b64, \"\", \"MachineKeySet,PersistKeySet\")\n Write-Output \"Certificate information:\"\n Write-Output ($pfx | fl | Out-String)\n \n $certPath = \"Cert:\\$certificateStoreLocation\\$certificateStoreName\\$($pfx.Thumbprint)\"\n if (Test-Path $certPath) {\n \"A certificate with thumbprint '$($pfx.Thumbprint)' appears to already exist in the certificate store. Skipping...\"\n }\n else {\n Write-Output \"Opening certificate store '$certificateStoreName' in '$certificateStoreLocation' ...\"\n $store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certificateStoreName, $certificateStoreLocation)\n $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)\n\n\t\tif($certificateFriendlyName) {\n Write-Output \"Setting certificate friendly name to '$certificateFriendlyName'...\"\n $pfx.FriendlyName = $certificateFriendlyName\n\t\t}\n \n Write-Output \"Adding certificate...\"\n $store.Add($pfx)\n $store.Close()\n Write-Output \"Certificate added.\"\n\n Write-Output \"Verifying - searching certificate store for thumbprint '$($pfx.Thumbprint)'...\"\n if (Test-Path $certPath) {\n Write-Output \"Certificate is successfully imported!\"\n }\n else {\n Write-Error \"ERROR: Certificate with thumbprint '$($pfx.Thumbprint)' was not found in certificate store '$certificateStoreName' in '$certificateStoreLocation'\"\n }\n }\n}\n\n$azureSubscriptionId = $OctopusParameters['Azure.GetKeyVaultCertificate.SubscriptionId']\n$azureTenantId = $OctopusParameters['Azure.GetKeyVaultCertificate.TenantId']\n$azureClientId = $OctopusParameters['Azure.GetKeyVaultCertificate.ClientId']\n$azurePassword = $OctopusParameters['Azure.GetKeyVaultCertificate.Password']\n$keyVaultName = $OctopusParameters['Azure.GetKeyVaultCertificate.KeyVaultName']\n$certificateName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateName']\n$certificateVersion = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateVersion']\n$certificateStoreName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreName']\n$certificateStoreLocation = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreLocation']\n$certificateFriendlyName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateFriendlyName']\n\n# Validate that all parameters have values\nWrite-Output \"Validating parameters...\"\nValidate-Parameter $azureSubscriptionId -parameterName \"azureSubscriptionId\"\nValidate-Parameter $azureTenantId -parameterName \"azureTenantId\"\nValidate-Parameter $azureClientId -parameterName \"azureClientId\"\nValidate-Parameter $azurePassword -parameterName \"azurePassword\"\nValidate-Parameter $keyVaultName -parameterName \"keyVaultName\"\nValidate-Parameter $certificateName -parameterName \"certificateName\"\nValidate-Parameter $certificateVersion -parameterName \"certificateVersion\"\nValidate-Parameter $certificateStoreName -parameterName \"certificateStoreName\"\nValidate-Parameter $certificateStoreLocation -parameterName \"certificateStoreLocation\"\n\n$azureCreds = New-Object System.Management.Automation.PSCredential($azureClientId, (ConvertTo-SecureString -String $azurePassword -AsPlainText -Force))\nLogin-AzureRmAccount -ServicePrincipal -SubscriptionId $azureSubscriptionId -TenantId $azureTenantId -Credential $azureCreds\n\n$params = @{\n keyVaultName = $keyVaultName\n certificateName = $certificateName\n certificateVersion = $certificateVersion\n certificateStoreName = $certificateStoreName\n certificateStoreLocation = $certificateStoreLocation\n certificateFriendlyName = $certificateFriendlyName\n}\n\nInstall-AzureKeyVaultCertificate @params"
},
"Category": "Azure",
"HistoryUrl": "https://github.com/OctopusDeploy/Library/commits/master/step-templates//opt/buildagent/work/75443764cd38076d/step-templates/import-cert-from-azure-keyvault.json",
"Website": "/step-templates/e06e7e2a-5510-4b6d-bd46-22d3bc01291d",
"Logo": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAMAAACahl6sAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAADNQTFRF////AHjXf7vrv931QJrh7/f8EIDaIIncMJHfYKvmz+b3n8zw3+76j8Ttr9XycLPpUKLkkKvYFAAABGZJREFUeNrsnNmCqjoQRc1MEiD8/9cer7Yt2KBJZQC8ez07sKlKTQlcLgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzoUSnt8YxXlFuGHSbIaxvj+fip4btkLn1blkWLaF5v03yLhLOYlVuGYfMOMZzNGxCOzhjTJqFkXnjq3Dr1yyvPI3hGl3Ih3zzHHNKudRstRhX5O58vIcShY67Gq6EPIESlzUWvazaGAOGbvU7ArDu/g8M4o8opDZWvbvPzlL/MMBE8jT9T9W7PbAJlHPTBFRf9yVTEcs63msXz2UHLSgf650G/d5t+wjbxxB2UCMqGrk8/LFSD7uJMeNt5bcJCyQZyAe5Fo9KYfWS2flQrr4b4tpuzaeWjYs49rt9LHf9uZD7+VbyVi9EBNrjYjuq2sxQOrl+p+HuBVu45qvqfq691ttYFQ5KyKbyJgaIY/NGxrlWZwlwGvmvu1oY3PuAv0niTq6tZ78jk//9uc1r1r4lQki7y7sp2Tu4V1y2iLoqFTqi1lIGcpFiebrZNZ1dOkF0cCIlO8jQ47nCkam9Lilz9GhDF1I6XGLzfnhwDIIZVfI7+8SSgfHsijqXENOGJF5QorG4EcW0OrScqX/dDrXpr70Ut/BII+1OfECPuYz/NWxYmgrCsUskxPvyhgmrw+WGZ6lGTuOlIyCYWTFyWjpM5KIZRUIOwjRNYRQ6tZF9BXtk8hWAHPtLNJ727Fq0JSkC1FDRRF0Jalj0d5qVh2KEpM2TuSsCYTCT6ZkdmFYI9LrYp5QayWbo6NXlZwcRD/61pth5Fq5EX423QQxNjhqWvvklkljOLkYjrmphXPZOJOk6Pg7HKMsrtQKcowzZoK3rx1ZUelGMdQA/HaKkjAt2RgqpZeYqbNbH7Hp2ct4nqfSPOfe0ftiSTZJydOV6rG5bQbyLK+nRuCC0343PzDgiOXyQA5c14BTZi98uR/5KJ1SnatLdoO50WWBQZPTq0VgsklU3h932actuo17ayrHrb/3ykiegd3KbqF2wbV6RrlsJ07yLcpsWFTul9RyK6ZScr+tk7oNrFj0o7HQUlj4EiEvJ6rPLKSmlMZCrksl1OnLaRkxc+/HB1naMhNtT/6yM2bDs6azCRHrM3aVPN7aW8irD/10B8njpAMcsl8okXcdKrl4sPsLmQVy/Sj90ucPRc/d/Bxxj+dXSpCayen32D+hLi16MsIV8gfCXrYp6ySsiJKRUF0XXiLpVbFU+fNv4r7mOwhFsX4ZdwpSi1DYs2jb6ebZ9788cblTzMrYhu7sf/17IFdtuviJ2ioHA6pMHkoH4CLUeMBU7iGkxuM/YgcdderF9ibRdc7O982F1HpYhjfWUe+x5a6pjop9iNLfoePvlsdZdTSMwfxSmTY20Q0eHnUNzga1edeNmmqbg18aMVR1L9vwSXHF9TfIWBxpKLs2hj3eQeBC0USvp2HHF3eIkRdhFOd6ER8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/I/4J8AAo/80BciBec4AAAAASUVORK5CYII=",
"$Meta": {
"Type": "ActionTemplate"
}
}
Page updated on Tuesday, April 17, 2018