I have created a RBAC enabled service principal in Azure to configure Key Vault access within my OS using environment variables. When you create a service principal, the Azure CLI responds with the service principal details, containing the clientSecret value. Creation command:
az ad sp create-for-rbac -n <http://my-name> --sdk-auth
I would like to know if and how I can request the clientSecret later on. When I use
az ad sp show --id <my-service-principal-uuid>
or
az ad sp credential list --id <my-service-principal-uuid>
the clientSecret is not in the response information.
Is there any way to retrieve the clientSecret other than at the moment of creation?
You cannot retrieve it after creation. The best you can do is to reset it, at which point you will be shown the new value:
PS C:\> az ad sp credential reset --name foo
{
"appId": "...",
"name": "foo",
"password": "...",
"tenant": "..."
}
This means that you will need to update the credential manually wherever you've made use of it, for example in Azure DevOps if you've created an Azure RM service connection with that particular service principal.
You can get like below
Create a service principal
SPA_SP_APP_ID=$(az ad sp create-for-rbac --name $AKS_SP_NAME --skip-assignment --query appId)
Retrieve Service principal APPID and Client Secret
SPA_SP_SECRET=$(az ad sp credential reset --name $SPA_SP_APP_ID --query "password")
EDIT
As Moss Mentioned above, you cannot retrieve once it is created.
Related
I was reading this documentation https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication
And I have found that we can use azure login cli with allow-no-subscriptions parameter.
So my question is that what is the purpose of this parameter? although we have already defined the subscription id in the repository's secret when we can run this command
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
Because it outputs, subscription id, tenant id, secret id, client id.
Surprisingly, if I create app registration through azure portal I get an error
Error: : No subscriptions found for ***.
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
Although the subscription id well defined in the secrets.
And if I just use that parameter
allow-no-subscriptions=false
Then I have no issue and it works like charm.
For creating rbac from your local machine you need to upgrade az module and need to login Azure CLi using az login
az upgrade , az login
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
*The service principle is mapped to contributor role and subscription scope. *
Please find the below screenshot
For reference, please check this Az CLI Login failed. Please check the credentials and make sure az is installed on the runner
I am testing an environment where I have the credentials of a service principal of an application. My next step is to identify the objects owned by the application or the resources that the app can access.
I could get similar details for an AD user through the cli command
ad signed-in-user list-owned-objects
Running the same command when signed-in with the credentials of the sp results in the following error
Resource not found for the segment 'me'.
My use-case is to enumerate the SP account to understand its access rights in the subscription. Can someone help me out with the right set of azure cli commands.
I tried to reproduce the same in my environment and got below results:
I created one service principal with Storage Blob Data Contributor role at storage account scope like below:
az ad sp create-for-rbac --role "Storage Blob Data Contributor" --name <spname> --scopes /subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<storaccname>
Now I logged in to Azure account successfully using above service principal credentials:
az login --service-principal -u appID -p password --tenant tenantID
When I ran the same command to get the resources that the app can access, I got same error as below:
az ad signed-in-user list-owned-objects
To list RBAC roles assigned to a service principal, you can make use of below command:
az role assignment list --assignee <service_principal_ID> --all
If your use case is to list all the resources/objects a service principal can access/own, currently there is no command available particularly for that.
To know more in detail, you can check below reference:
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights by AlfredoRevilla-MSFT
Trying to access files from Azure Netapps via REST API by following documentation
https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-develop-with-rest-api
with POSTMAN rest client.
To get appId, password, tenant by executing following command in Azure CLI
az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor --scopes /subscriptions/{subscription-id}
Here what is $YOURSPNAMEGOESHERE? How to fins this value? I am currently using trail account on Azure.
Please note that, the command you are currently using is related to creating service principal and assigning role to it.
In this $YOURSPNAMEGOESHERE , you have to pass the name of the service principal you want to create.
Instead of that, you can also give the name directly in string format like below:
I tried to reproduce the same in my environment like below and got the below results:
az ad sp create-for-rbac --name "TestSP" --role Contributor --scopes /subscriptions/subscriptionId
Output:
Reference:
az ad sp | Microsoft Docs
I'm on the basic account type on Azure.
I have: A private registry with only one Access Key (Admin one)
I want: To be able to create more access keys with read only (acrpull) access.
Question: Am I reading correct from here: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-skus#sku-feature-matrix that this is not allowed (only in the premium account)?
Isn't there a way to create another token with acrpull access only on a basic account?
Regards,
Of course, you can. It uses a service principal to do the authentication. You need to create a service principal assigned with the role acrpull for the ACR.
Here is an example script which uses the CLI command:
#!/bin/bash
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"
You can get more details in Azure Container Registry authentication with service principals, and also you can choose an appropriate role as you need when you take a look at Azure Container Registry roles and permissions.
I am trying to create a service principal from azure cli.
az login --service-principal -u servicePrincipalGuid -p spPassword --tenant tenantGuid
az ad sp create-for-rbac --skip-assignment
It works if i assign to the service principal Global administrator but it does not work with the Application Administration which according to the documentations should be sufficient.
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
I can reproduce your issue, it is really weird, based on my knowledge, the Application administrator role should work.
The command az ad sp create-for-rbac --skip-assignment creates the app registration successfully, but it can't create the corresponding service principal. Even if I test with the command below to create service principal for the app.
az ad sp create --id '<object-id of the app registration>'
or powershell
New-AzureADServicePrincipal -AppId <object-id of the app registration>
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
If you just want to let the command work without the global admin, you could add Application.ReadWrite.All permission of Azure Active Directory Graph like below, then it will work.