I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access
are there other ways in fetching token via service principal?
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.
• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.
Related
I found a link here which says:
There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.
My question is, Can a 'service principal' create another 'service principals' in Azure? If yes, how? and what all permissions required for this?
Please suggest. Thanks.
A service principal can create another service principal after being assigned either the corresponding MS Graph permission, or Azure AD role
MS Graph Permissions
Either of the permissions
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
References
Microsoft Graph permissions reference
Create application API endpoint
Create servicePrincipal API endpoint
Azure AD Role
Any role with one of these permissions
microsoft.directory/applications/create
microsoft.directory/applications/createAsOwner
microsoft.directory/applications/allProperties/allTasks
Built-in roles
Application Administrator
Application Developer
Cloud Application Administrator
Global Administrator
Hybrid Identity Administrator
References
Azure AD built-in roles
Application registration permissions for custom roles in Azure Active Directory
We earlier used sas token to access the storage account.Now the requirment is to not to use it. Is it possible for an azure app to access the storage account if it has owner access. I tried using it . But getting this error.
message": "The specified resource does not exist
the url we are using is
`https://${tableService.storageAccountName}.table.core.windows.net/tablename
Simply pointing to a storage account, without any form of credentials, will not work for a private storage account or container.
There are a couple of options you have to provide credentials to connect to a storage account, like using the connection strings containing the access keys or using Managed Identities for Azure resources.
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.
Here are some of the benefits of using managed identities:
You don't need to manage credentials. Credentials aren’t even accessible to you.
You can use managed identities to authenticate to any resource that supports Azure AD authentication, including your own applications.
Managed identities can be used without any additional cost.
Because of these benefits and the ease of use I would suggest you Authorize access to blob data with managed identities for Azure resources.
Azure Blob Storage supports Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to blob data using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
Assign an RBAC role to a managed identity
When an Azure AD security principal attempts to access data in an Azure Storage account, that security principal must have permissions to the data resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to data in Azure Storage.
Further to:
API Permission Issue while Azure App Registration
and
Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
I cannot activate the Application Permissions button in the API permissions when I am trying to register an application in Active Directory. I have created the roles (several times) and ensured all of the properties are correct as described in both posts and in https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration - including that it the role is set for application, . I am using the default directory of my Azure account. I am the only member in my directory and am a member of global administrators.
Is there something else I am missing?
My end goal is simply to use the .Net SDK to manage the firewall on an application service using a client secret that can be distributed with an application.
Here is the manifest
Okay, so you want an app registration to manage an App Service through Azure Resource Management API as itself with client credentials flow?
In that case you don't need to assign any application permissions to your app.
You need to create the app, and then go to e.g. the App Service resource's Access Control (IAM) tab, and add the needed role to your app there.
The reason that the app permissions tab there is grey is because the Azure Service Management app registration (which you can't edit) does not define any app permissions.
When you define an app permission in the manifest, that becomes a permission that other applications could use to call your API, not Azure Resource Management API.
Is there something else I am missing?
The reason Applications Permissions is greyed out for you is because Azure Service Management API only allows Delegated Permissions i.e. this API will be always be executed in context of the signed-in user. In other words, a user (even if it is a Service Principal) must always be present when executing this API.
You mentioned that you wanted to execute Service Management API using a client secret. For that there are two things you would need to do:
As mentioned by #junnas, you will need to assign your application (which is a Service Principal) a proper Azure RBAC role on an Azure Subscription. Please see this link for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview.
You will need to acquire token for this Service Principal using client id and client secret. You can use ClientSecretCredential for that purpose.
I am creating my first app function using powershell in the Azure portal, It's just to scale a SQLDB on I have tried to use this tutorial as a guide.
MSI example
I turned on MSI for the function and configured resources groups Giving the contributor role to the resource
When I run the function within the portal, I get the message doesn't have authorization to perform action. from this tutorial I believe this is all I had to do ? I have waited over a day to see if it's a timing issue, from the example I Have followed and this MS document managed identies for app service
I don't believe I need to add any secret key for this to work?
Function Error message
Setting the function MSI identity to on
Seeting the access control in
The service principal you are using doesn't have rights within that tenant.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.
After you have given successful permission, refresh and try again.
Service principle can be created without role via az ad sp create-for-rbac --skip-assignment
Q1. What's the use of a service principal without a role?
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Q1. What's the use of a service principal without a role?
The parameter --skip-assignment skip assigning the service principal to the subscription. So to be precise, your question should be without an RBAC role, because there is another role named Administrator role, it will be mentioned below.
Some usages here for you to refer to, there are many usages mixed with the AD App, will not go into details here. If you want to learn about them, you can look into the Azure AD official doc.
1.The service principal can be assigned as an Administrator role in Azure AD, then it can do the things depend on the role permissions, e.g. create a user, delete a group. Via Azure AD powershell, Microsoft Graph API, Azure AD Graph API, or the AAD part of the Az powershell module.
2.The service principal can also calls the APIs and use the powershell above without Administrator role, but you need to give the application permission to it. The az ad sp create-for-rbac will create an AD App along with a service principal, in the AD App in the portal -> API permissions, you can add the permission and consent. Note, when we add permissions and consent in AD App, actually the permissions will be given to the service principal in your tenant, the service principal is an instance of the AD Application in a specific tenant.
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Yes, as mentioned above, it can do many things related to Azure AD, Graph API. Here is a doc about Application and service principal objects in Azure Active Directory, it will be really helpful for you to understand the service principal.
A1- you can use it to remove the need of secret keys in your apps. For example, rather than storing the Azure Storage access key, you can grant an identity (your app) to store / access data on Azure Storage.
A2-I think so, it will be a system-assigned managed identity which is a special kind of managed identity (service principal)