azure-xplat-cli
azure-xplat-cli copied to clipboard
Azure
Creating service principal with ARM deployment
Hi,
I'd like to know if it is possible to deploy with an ARM template a resource for service principal.
From what I know, this is not possible, and I'm not sure this is the right repo for that, but would have been great to know if this is a planned feature or another repo where I could ask this.
I'm aware that this is not an ARM resource, but this or an alternative that enables access to Azure Subscription would be great.
Thanks.
@morsh - Couple of questions:
- Are you asking whether one can create a service principal using a deployment template?
- Or, are you asking whether one can enable access (authorize) a service principal to a subscription (sp is already created)?
For 2: We currently assign a role to the sp. That establishes the link (enables access) between the sp and the subscription. Role Assignment is an ARM thing that should be very much possible with deployment templates.
The cli command for assigning a role is
azure role assignment create -h
This article gives you an idea about 3 ways to create an SP.
Hi @amarzavery, Regarding 2 - I would be happy to see an example of how to do that using an ARM template.
Regardless, I'm referring to Number 1.
@shuagarw @ravbhatnagar @vivsriaus - Do you guys know if there is a sample deployment template for creating an sp and assigning a role to it? This would be very useful. I looked over here https://github.com/Azure/azure-quickstart-templates but couldn't find any sample.
I'm interested in this, as well. I want to deploy a solution that includes some VMs which should be able to access information about the resources in the resource group, and ideally create new resources itself (to add new nodes to the cluster, etc.). To do this, I want to embed a native application in the VM and then create a role assignment in the ARM template.
But, I have to provide the principalId in order to create the role assignment. I think that means a user would need to manually create the principalId somehow, and somehow provide it to the template deployment? It would be great to be able to automatically grant my application the access it needs during deployment, or to somehow streamline the way users can handle this (much in the same way AWS allows a user to easily create an IAM role that can be applied to EC2 instances).
It's already possible in the CLI to create a new SP, but that will be a very foreign workflow for someone trying to deploy a solution from the Marketplace. Perhaps the answer here is to use a MSI extension in the resource template instead of trying to use this service principal and registered app workflow?
I'm interested in this, as well. I want to deploy a solution that includes some VMs which should be able to access information about the resources in the resource group, and ideally create new resources itself (to add new nodes to the cluster, etc.). To do this, I want to embed a native application in the VM and then create a role assignment in the ARM template.
We will have a pretty good support on this through the new CLI 2.0 release next week. This can be done in one command, say az vm create -g myRG -n myVM --image ubuntults --assign-identity. In the nutshell, --assign-identity tells CLI to enable the identity of VM, which essentially means a service principal will be created for this VM. By default CLI will assign a contributor role (can be configured to assign a different role) to the VM with an access to the current resource group, meaning you don't need to create a role assignment separately, and you are good to go.
If you have more custom scripts to run in the VM, there is a token endpoint at port 50342 you can contact to access tokens. If it is about azure resource management, I very much suggest you just run az login <subscription-id>@<port>, and all rest commands are good to go
For reasons if you still like to use template deployment rather going through az vm create, then you can still use az vm create --debug --validate .... which will dump out the template CLI uses for your reference.
If you have a vm already, try az vm assign-identity....
Guess, I am suggesting you should definitely give CLI 2.0 a try. We have nightly builds and docker images ready now if you are interested in trying out right now
+1 for this.. Terraform supports arm template.. It would be very handy to have this feature supported
@amarzavery could this be looked at..how come any resource in azure doesnt have an arm template support? Its all json in the background anyways
There are some road blocks over here.
- Service principal is an Active Directory entity which is an independent service on it's own.
- This project is pretty much dead for ARM mode. If at all this will be supported then it will happen in the python based CLI 2.0.
+1 Need this feature for the solution - need to create Service Principal with an ARM template.
+1 We are also looking for SP creation as part of ARM template. This is used to deploy other resources post managed app deployment at customer end.
@johanste - Correct me if I'm wrong, but as far as I can see none of those give the ability to create a service principal (registered app identity)
I notice the UI for the AKS deployment (link) using the Azure portal offers a way to create a new SP no doubt the createUIDefinition.json for this template has the functionality to achieve this, it just doesn't seem to be available anywhere. Can someone share this so we can include the same functionality in our own offerings.
Anyone know how to get service principal password in ARM template?? I mean like we can get storage account key with listkeys()? I am working in creating a keyvault Arm template that kan get all keys from the resources and save them as secrets in key vault? Is it a good scenario?
I've write a AzureDevOps tasks name "Azure AD Application tasks management" https://marketplace.visualstudio.com/items?itemName=experta.AzureADApplication
I'm actually using it to create my Service principal and linked it with my AKS ARM Template...
Maybe it can help you
@lturmel Thanks for the good work! Can any ARM template this AzureDevOps Task or dynamically during deployment time create this devOps task and retrieve SP ID and Password from it ?
@vishleshp Thanks for the feedback. For questions, yes package I've put on the marketplace, have a task to retrieve the Application ID... When you create the app from my custom task, you can set the password... But it's not possible to retrieve it once it's created.
I've write a AzureDevOps tasks name "Azure AD Application tasks management" https://marketplace.visualstudio.com/items?itemName=experta.AzureADApplication
I'm actually using it to create my Service principal and linked it with my AKS ARM Template... Maybe it can help you
@lturmel hey, did it work for u? I am trying to do exactly the same, but have a lot of questions about the ManageAzureAdApplication task, maybe you have some tutorials or can help me?
Also, is this task supported in AzureCloudChina?
Although, the service connection given is linked to AzureCloudChina
Hi @buzykina , yes it works well on my side, but I'll have to write a quick guide ... There a specific config to make it works wells... you can contact me directly if you. I'll be happy to help you
I've write a AzureDevOps tasks name "Azure AD Application tasks management" https://marketplace.visualstudio.com/items?itemName=experta.AzureADApplication I'm actually using it to create my Service principal and linked it with my AKS ARM Template... Maybe it can help you
@lturmel hey, did it work for u? I am trying to do exactly the same, but have a lot of questions about the ManageAzureAdApplication task, maybe you have some tutorials or can help me?
Also, is this task supported in AzureCloudChina?
I've updated the doc, and also the entire package to be comptatible with all os agent ! https://marketplace.visualstudio.com/items?itemName=experta.AzureADApplication