I created a service principal using rbac and using the subscription id and I was able to login and all CLI calls with Azure using this sp and this login
(creating SP
az ad sp create-for-rbac -n "AppName1" --role contributor --scopes /subscriptions//resourceGroups/)
But when I call for billing info as:
az consumption usage list --subscription
Unauthorized. Request ID:
I am not sure what authentication permission scope to add to enable this. Tried too many things and somehow I feel I am not in the right direction. Any help will be greatly appreciated.
Did you login with the service principle using the following command before hitting the billing/usage?
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
I believe the issue is that you assigned the “contributor” role at the resource group level and then trying to access a subscription level resource. Since you don’t have permission for that, you’re getting this “Unauthorized” error.
To fix this, please try to assign the “contributor” role at the subscription level for this service principal.
Related
I am testing an environment where I have the credentials of a service principal of an application. My next step is to identify the objects owned by the application or the resources that the app can access.
I could get similar details for an AD user through the cli command
ad signed-in-user list-owned-objects
Running the same command when signed-in with the credentials of the sp results in the following error
Resource not found for the segment 'me'.
My use-case is to enumerate the SP account to understand its access rights in the subscription. Can someone help me out with the right set of azure cli commands.
I tried to reproduce the same in my environment and got below results:
I created one service principal with Storage Blob Data Contributor role at storage account scope like below:
az ad sp create-for-rbac --role "Storage Blob Data Contributor" --name <spname> --scopes /subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<storaccname>
Now I logged in to Azure account successfully using above service principal credentials:
az login --service-principal -u appID -p password --tenant tenantID
When I ran the same command to get the resources that the app can access, I got same error as below:
az ad signed-in-user list-owned-objects
To list RBAC roles assigned to a service principal, you can make use of below command:
az role assignment list --assignee <service_principal_ID> --all
If your use case is to list all the resources/objects a service principal can access/own, currently there is no command available particularly for that.
To know more in detail, you can check below reference:
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights by AlfredoRevilla-MSFT
Trying to access files from Azure Netapps via REST API by following documentation
https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-develop-with-rest-api
with POSTMAN rest client.
To get appId, password, tenant by executing following command in Azure CLI
az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor --scopes /subscriptions/{subscription-id}
Here what is $YOURSPNAMEGOESHERE? How to fins this value? I am currently using trail account on Azure.
Please note that, the command you are currently using is related to creating service principal and assigning role to it.
In this $YOURSPNAMEGOESHERE , you have to pass the name of the service principal you want to create.
Instead of that, you can also give the name directly in string format like below:
I tried to reproduce the same in my environment like below and got the below results:
az ad sp create-for-rbac --name "TestSP" --role Contributor --scopes /subscriptions/subscriptionId
Output:
Reference:
az ad sp | Microsoft Docs
As said in title I'm facing a permission/privilege issue.
I've logged to az-cli using a service principle I created with Contributor role.
Now, this SP is used in a pipeline, where it needs to edit access policies of a KeyVault for another SP (that has no roles).
I'm using
az keyvault set-policy -n testserviceprincipal --secret-permissions list --spn <id>
but i get Insufficient privileges to complete the operation.
I tried to add keyvault prmissions but still missing something.
Did someone had the same issue and managed to resolve?
I'm somehow sure I'm missing some permissions like user.read cause if I use --object-id and the ObjectId of SP all works fine.
Thanks in advance!
I am trying to create a service principal from azure cli.
az login --service-principal -u servicePrincipalGuid -p spPassword --tenant tenantGuid
az ad sp create-for-rbac --skip-assignment
It works if i assign to the service principal Global administrator but it does not work with the Application Administration which according to the documentations should be sufficient.
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
I can reproduce your issue, it is really weird, based on my knowledge, the Application administrator role should work.
The command az ad sp create-for-rbac --skip-assignment creates the app registration successfully, but it can't create the corresponding service principal. Even if I test with the command below to create service principal for the app.
az ad sp create --id '<object-id of the app registration>'
or powershell
New-AzureADServicePrincipal -AppId <object-id of the app registration>
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
If you just want to let the command work without the global admin, you could add Application.ReadWrite.All permission of Azure Active Directory Graph like below, then it will work.
I want to give an Azure Managed Identity access to the Graph with Directory.Read.All. I was able to get it to work by following this blog: https://blog.bredvid.no/accessing-apis-using-azure-managed-service-identity-ff7802b887d?gi=f2307752395a, however:
that throws an Authorization_RequestDenied error (though apparently expected: MSI Permissions for Graph API)
I would prefer to get this working under az-cli
I tried...
graphId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].objectId")
roleId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].appRoles[?value=='Directory.Read.All' && contains(allowedMemberTypes, 'Application')] | [0].id")
az role assignment create --role $roleId --assignee-object-id fa22d971-c442-41f2-add1-77e636f80d31 --scope $graphId --assignee-principal-type MSI
But this results in... "The request did not have a subscription or a valid tenant level resource provider."
I am thinking this means I don't have the scope right. Is it possible to do this assignment under az-cli?
It is not possible to assign a service principal(MSI) to an application role currently, all commands here.
The az role assignment create is to add the user/service principal/group to the azure resource as an RBAC role, not that you want, it equals the steps in this link.
Besides, if you want to use the azure CLI instead of powershell because of the cross-platform issue. You could try the powershell core, it is cross-platform, refer to this link to install AzureAD.Standard.Preview module in it, then you will be able to use the AzureAD commands.