Using a Service Principal

If you’re looking to automate and script processes and tasks against your Azure environment you’ll soon come across the issue of having to authenticate (which is good!) to your environment making your seamless automation script a little more manual.

The solution to this problem is to use a Service Principle (SP) with Role Based Access control (RBAC) to fine grain the permissions.

To create the Service Principle and App Registration on one step you can run the command:

az ad sp create-for-rbac –name “YOUR SP NAME”

However, it would be highly recommended to keep to the principle of least privilege and instead scope the SP to what you actually need – i.e. the resource group. You do this by specifying the –scope and additionally what role it needs to have, in my case ‘Contributor’:

az ad sp create-for-rbac –name “YOUR SP NAME –role contributor –scopes /subscriptions/{YOUR SUBSCRIPTION ID}/resourceGroups/{YOUR RESCOURCE GROUP NAME}

If you need to find the scope path you can use the resource browser – resources.azure.com

It is worth noting that if you specify the –password and a password you’ll receive a warning that the password argument will be removed in the near future (with CLI version 2.1.0) to address security concerns around known passwords. You can view the propeosed change here – https://github.com/Azure/azure-cli/issues/7538. If you Omit –password  you’ll allow the CLI to generate this for you. By default the password (secret) generated is valid for 1 year so you’ll need to make sure you keep a note of when it’ll expire.

Once you run the create command you’ll get a response of:

{

  “appId”: “YOUR APP ID”,

  “displayName”: “YOUR DISPLAY NAME”,

  “name”: “http://YOUR APP ID“,

  “tenant”: “this will be your tenant ID”

   “password”: “The password CLI generated for you”

}

Pulling it all together and testing it out. You can simply run the AZ Login to test the SP.

az login –service-principal -u {the appId} -p {the password} –tenant {your tenant ID}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s