As per my understanding, Azure Kubernetes Service(AKS) allows getting credentials for admin and user identities. Can the user identity be an AD app or a managed identity?
I'm writing .Net code. Can you provide some sample where we can get the user credentials from AKS cluster by using AD app credentials, assuming I have already done AD integration with my AKS cluster and have already assigned the appropriate role binding for my AD app?
The security section here - https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/getaccessprofile needs implicit flow. How does implicit flow work for AD app credentials?
You can use Implicit grant flow to get access token.
You'll need the Azure Kubernetes Service Cluster User built-in role to access an Azure AD enabled cluster.
Get the user credentials to access the cluster:
az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster
Or use List Cluster User Credentials API.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}/listClusterUserCredential?api-version=2020-04-01
Because Get Access Profile API will be deprecated in the futhure.
Related
How to connect securely from AKS cluster to Azure PostgreSQL Single Server using Service principal as the Managed Identity is not supported.
From my point of view you have 2 options (maybe more but lets focus on those 2):
Use Azure AD Workload identity together with federated identity credential linked to you Service Principal. Basically you configure trust between your AKS (OIDC issuer), the Kubernetes Service Account for your Pod and the Azure Service principal to access resources with an Azure AD Token. Here you have to adopt the code running inside your container to leverage the workload identity with the issued Azure AD access token.
Use the Azure Key Vault Provider for Secrets Store CSI Driver. You will configure the Kubelet Identity of your AKS to read the secrets from the KeyVault and mount the Service Principal Client ID & Client Secret (saved as KeVault secrets) during Pod startup as volume into your pod. Here you have to adopt the code running inside your container to read the information (Client ID & Secret) from the filesystem inside the pod. P.s.: You can also use Workload Identity, System assigned identity or a Service Principal instead of managed-identity to access the KeyVault.
I currently create a service principal using the Azure CLI:
az ad sp create-for-rbac --name foo --role Contributor
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.
I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?
I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:
https://github.com/pulumi/pulumi-azuread/issues/246
In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.
When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent.
You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.
Application.ReadWrite.All
Application
Read and write all applications
Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
You will find these two application permissions that you could use. The first you can use manage all applications.
The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.
You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -
az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}
Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.
You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
Been looking for a while but couldn't find the answer. I've been using service principle on my azure devops to modify my azure infrastructure via piplines (proper permissions). I need to run some of the commands locally using powershell, for example delete some of my azure roles.
Is there a way to use my service principle's permissions via cli / powershell to achieve what I'm looking for? Cannot do it via Connect-Azure as my user account's role has insufficient permissions. I need to do it with service principle.
Yes, you can login to the Azure CLI with a Service Principal.
To sign in with a service principal, you need:
The URL or name associated with the service principal
The service principal password, or the X509 certificate used to create the service principal in PEM format
The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal
I am using Terraform cloud and I don't want to use permanent keys in it. So, is there any to create a temporary keys in Azure Cloud(like we can create in AWS).
When you are authenticating to Azure Cloud via Azure service principal, by default, the Az CLI command will get a password for this service principal with a one-year expiration date.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscription_id>"
from your comments, in fact you want to get this password to expire in a short time. You can use az ad app credential reset to append or overwrite an application's password or certificate credentials.
For example, reset the application password with the following Az CLI commands.
az ad app credential reset --id <appId> --password <sp_password> --end-date 2020-08-13T11:59:59+00:00
For more information, you could read the Relationship between application objects and service principals
By creating a ServicePrincipal in AzureAD you're also able to assign a LifetimePolicy (tokenLifetimePolicies). This way you're able to have an "end of life" for the token.
Here's also a short how to on creating a new ServicePrincipal.
Alternatevily you could use this new preview feature: Configurable token lifetimes in Microsoft identity platform (Preview).
As it is a preview feature you're not supposed to use it in production environments.
I have a multi-tenant application in azure and was looking to find a way to login using Azure CLI. So far I have been unsuccessful.
The following command works well with service principal but fails with application
azure login --service-principal -u <app-id> -p <password> --tenant <tenant-id>
Is it possible to use Azure AD application with Azure CLI?
No , service principal is the identity for the app and could be used to authenticate the app with its own credentials. So if you have an app that needs to access resources , you need to create a service principal for an Active Directory application, and the service principal has permissions on your subscription, then you can use the azure login command to authenticate the service principal.