Error: failed to create or update service principal

[marnixcox]

• [ ] Make sure you've installed the latest version using instructions in the wiki

Output from azd version azd version 0.3.0-beta.1 (commit c5344160ed49bfda75281fba28b5e9ac7b96670e)

Output from az version

{
  "azure-cli": "2.40.0",
  "azure-cli-core": "2.40.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {
    "application-insights": "0.1.7",
    "arcdata": "1.4.5",
    "init": "0.1.0",
    "managementpartner": "0.1.3"
  }
}

Describe the bug Can you please advise if there is a way to do the "azd pipeline config --provider azdo" step, without automaticly creating the service principal, as most tenants and DevOps organisations don't want individual developers to have this level of access and have already setup a service connection ready to use.

Error: failed to create or update service principal: failed running az ad sp create-for-rbac: exit code: 1, stdout: , stderr: ERROR: Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation

To Reproduce Set minimal user rights on Active Directory en run azd pipeline config --provider azdo

Expected behavior Get the opportunity to set/select an existing service connection.

Environment * Visual Studio Code 1.71.2

[rajeshkamal5050]

@vhvb1989 can you see if the existing service-principal/connection can be used for AzDo?

[vhvb1989]

We need to add the support to use an existing service-principal.

Right now, no matter what provider is selected (github or Azure DevOps), azd creates a new service principal every time that azd pipeline is executed.

The only customization that azd supports is using the name of an existing service-principal. When this is set like azd pipeline --principal-name some-service-principal-name , azd would rotate the secret-credentials from that service-principal and use it to stablish the connection.

For the requested scenario, the customer would need to set:

• clientId
• tenantId
• client secret

for an existing service-principal. (there's no way to fetch a service-principal's client secret without rotating the secret).

I need to define with PM what would it be the experience/flow for doing this.

• Should it be set in azure.yaml?
• should we add the 3 values as input arguments?
• Set an option to use existing and prompt user to enter the values?
• Use env-vars to define the service-principal credentials and auto-detect with azd?
• Any other

@savannahostrowski @puicchan @jongio FYI, can you start thinking about what would you like here? or if we don't want to support this (for any reason)

[savannahostrowski]

This seems like something we do want to support. I think that this likely falls into the larger effort of supporting developers using azd with non-azd created/existing infrastructure. We probably want to group this and other similar items under that epic/bucket (BYO-infrastructure).

[puicchan]

In enterprise scenario, developers typically do not have direct access or rights to create service principal. clientId, teanantId etc. are json output that is captured after running az ad sp. The secret should be captured and configured in GitHub Workflow or AzDo so it should not be something we store on azd side (dev won't have access.) @jongio @wbreza for input.