I get an ERROR: The request did not have a subscription or a valid tenant level resource provider. when trying to create a service principal via the azure cli under the scope of an Azure Iot Hub. I'm using the CLI (bash) but python would be sufficient, too.
As shown at end, i have correct credentials & rights to create sp's in this subscription, and i have owner rights to the iot hub in question.
In case i'm missing a better way to accomplish this, here is the context: We need to authenticate a job that automates the registration of new devices immediately after they are flashed, before they are shipped off to be plugged in. This does many things to customize the flashed filesystem (add unique device hostname & local passwords, for instance); and finally it needs to register the device with IotHub.
az iot hub device-identity create --device-id [device id] --hub-name [hub name] --edge-enabled
With my user permissions, i can az login and accomplish all of this - but it needs to run in an automated job with no interactive login. I believe service principal is the way to accomplish this (?).
Thus, attempting to create the principal I run:
# the following pulls a valid(looking) `"/subscriptions/NAME/resourceGroups/THEGROUP/providers/Microsoft.Devices/IotHubs/THEHUB"`
IOTHUB_ID="$(az iot hub show --name TheHubName --query id)
az ad sp create-for-rbac --name http://my-iothub-serviceprincipal --scopes $IOTHUB_ID --role contributor --query password --output tsv
which fails with the following as above (Note: contributor is too broad, will be a custom-role later):
WARNING: Role assignment creation failed.
ERROR: The request did not have a subscription or a valid tenant level resource provider.
as a test to ensure i have the right az login and other local state, the following analogous command for an Azure ACR scope does succeed, with a new service principal visible in the portal.
ACR_ID="$(az iot hub show --name TheAcrName --query id)
az ad sp create-for-rbac --name http://acr-service-principal-foobar --scopes $ACR_ID --role acrpull --query password --output tsv
This was caused by a bug in the azure CLI. az iot hub show is returning an improperly quoted string; az acr show for example does not.
az iot hub show --name your-iothub-name --query id returns a string like the following. both quotes " are in the original
'"/subscriptions/guid/.../IotHubs/your-iothub-name"'
az acr show --name your-acr-name --query id returns the same format string, but without the extra ' quoting.
"/subscriptions/.../registries/your-acr-name"
az iot hub device-identity create cannot deal with the '"..."' (understandable) but unfortunately doesn't fail cleanly, making this a bit difficult to track down as quoting blends in a bit for script output.
Related
I was reading this documentation https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication
And I have found that we can use azure login cli with allow-no-subscriptions parameter.
So my question is that what is the purpose of this parameter? although we have already defined the subscription id in the repository's secret when we can run this command
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
Because it outputs, subscription id, tenant id, secret id, client id.
Surprisingly, if I create app registration through azure portal I get an error
Error: : No subscriptions found for ***.
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
Although the subscription id well defined in the secrets.
And if I just use that parameter
allow-no-subscriptions=false
Then I have no issue and it works like charm.
For creating rbac from your local machine you need to upgrade az module and need to login Azure CLi using az login
az upgrade , az login
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
*The service principle is mapped to contributor role and subscription scope. *
Please find the below screenshot
For reference, please check this Az CLI Login failed. Please check the credentials and make sure az is installed on the runner
I am testing an environment where I have the credentials of a service principal of an application. My next step is to identify the objects owned by the application or the resources that the app can access.
I could get similar details for an AD user through the cli command
ad signed-in-user list-owned-objects
Running the same command when signed-in with the credentials of the sp results in the following error
Resource not found for the segment 'me'.
My use-case is to enumerate the SP account to understand its access rights in the subscription. Can someone help me out with the right set of azure cli commands.
I tried to reproduce the same in my environment and got below results:
I created one service principal with Storage Blob Data Contributor role at storage account scope like below:
az ad sp create-for-rbac --role "Storage Blob Data Contributor" --name <spname> --scopes /subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<storaccname>
Now I logged in to Azure account successfully using above service principal credentials:
az login --service-principal -u appID -p password --tenant tenantID
When I ran the same command to get the resources that the app can access, I got same error as below:
az ad signed-in-user list-owned-objects
To list RBAC roles assigned to a service principal, you can make use of below command:
az role assignment list --assignee <service_principal_ID> --all
If your use case is to list all the resources/objects a service principal can access/own, currently there is no command available particularly for that.
To know more in detail, you can check below reference:
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights by AlfredoRevilla-MSFT
Trying to access files from Azure Netapps via REST API by following documentation
https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-develop-with-rest-api
with POSTMAN rest client.
To get appId, password, tenant by executing following command in Azure CLI
az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor --scopes /subscriptions/{subscription-id}
Here what is $YOURSPNAMEGOESHERE? How to fins this value? I am currently using trail account on Azure.
Please note that, the command you are currently using is related to creating service principal and assigning role to it.
In this $YOURSPNAMEGOESHERE , you have to pass the name of the service principal you want to create.
Instead of that, you can also give the name directly in string format like below:
I tried to reproduce the same in my environment like below and got the below results:
az ad sp create-for-rbac --name "TestSP" --role Contributor --scopes /subscriptions/subscriptionId
Output:
Reference:
az ad sp | Microsoft Docs
I'm on the basic account type on Azure.
I have: A private registry with only one Access Key (Admin one)
I want: To be able to create more access keys with read only (acrpull) access.
Question: Am I reading correct from here: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-skus#sku-feature-matrix that this is not allowed (only in the premium account)?
Isn't there a way to create another token with acrpull access only on a basic account?
Regards,
Of course, you can. It uses a service principal to do the authentication. You need to create a service principal assigned with the role acrpull for the ACR.
Here is an example script which uses the CLI command:
#!/bin/bash
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"
You can get more details in Azure Container Registry authentication with service principals, and also you can choose an appropriate role as you need when you take a look at Azure Container Registry roles and permissions.
I created the Azure Kubernetes Service and Azure Container Registry using Azure Portal. After that I am able to give the Grant AKS access to ACR, for that I used the below script:
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionID 'XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX'
#Get the id of the service principal configured for AKS
$AKS_RESOURCE_GROUP = "DSEU2-AKSRES-SB-DEV-RGP-01"
$AKS_CLUSTER_NAME = "DSEU2-AKSRES-SB-DEV-AKS-01"
$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
# Get the ACR registry resource id
$ACR_NAME = "DSWEAKSRESSBDEVACR01"
$ACR_RESOURCE_GROUP = "DSWE-AKSRES-SB-DEV-RGP-01"
$ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
#Create role assignment
az role assignment create --assignee $CLIENT_ID --role Reader --scope $ACR_ID
Whenever I am running the above PowerShell script then I am getting the exception like shown in below figure.
For the above scenario I followed this documentation:Authenticate with Azure Container Registry from Azure Kubernetes Service
For the command az role assignment create, the description for the argument with --assignee:
Represent a user, group, or service principal. supported format:
object id, user sign-in name, or service principal name.
But what you use is the resource Id of Azure Kubernetes cluster. So you get the error.
And the link you posted, the document shows the secret in the yaml file and the secret created with the command kubectl create secret. The secret just be used for pulling the image from the Azure Container Registry.
Update
With the ERROR shows, the resource group could not be found, so you should check your resource group carefully.
And from your script, you use PowerShell command to log in and use CLI to execute. I think the subscription will not be changed for CLI. So you can check if you are in the correct subscription. PowerShell command will not change the Subscription for CLI.
So I suggest the CLI command az account set --subscription.