problem statement
currently, I am in the process to create/modify azure resources in the different subscription with the help of azure terraform.
error
Principal <appid> does not exist in the directory {destination-tenant-id-for which contribution role required}
consider the following scenario.
we want to create Azure AKS cluster in one subscription and in same execution, we want to update DNS define in another subscription. this process works well if we are having both i.e. DNS zone and aks cluster in the same subscription but it will not work if these two resources in the different subscription.
steps taken
create service principal without assignment
az ad sp create-for-rbac -n sp-terraform-001 --skip-assignment
assign contributor role for current sp for current subscription
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<sub-id>
*assign contributor role to current sp for a different subscription. it will fail with *
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<diff-sub-id>/<resource-group>....
please let me know correct steps to access resources in another subscriptions
You can assign rights to a service principal to multiple subscriptions, that is not an issue, as the SP sits outside of the subscription, it is in Azure AD.
However, you cannot assign rights to resources in a different Azure AD tenant to the one the service principal sits in, which it sounds like you are trying to do here.
Related
I've created a App and added a resource group. How can I update service principal and add a second resource group? Also is it possible to make it subscription wide access instead of just resource group based?
az ad sp create-for-rbac --name "MyApp" --role contributor --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1}
I can't find any article describing how to do this.
To add an additional resource group you can do this:
az ad sp create-for-rbac -n "MyApp" --role Contributor --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1} /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup2}
Scope is the set of resources that the access applies to. In Azure, you can specify a scope at four levels: management group, subscription, resource group, and resource. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope. The level you select determines how widely the role is applied. Lower levels inherit role permissions from higher levels.
Scope for a role assignment
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-3-identify-the-needed-scope
I know how to create service principal for app registration. However, what is "Azure Service principal account" for read-only Azure access?
The requirement is to execute API or make API call from a framework or run the command for Azure Infra and Service validation.
The additional details:
account with id and secret key?
Account with IAM privilege to read config data from Azure services?
Access to cloud providers API for config validation?
Is there any stpes to do this? It will be really helpful if the above details can be done from Azure portal.
On Work around To create the azure service principal for read only access You can try with using the Azure CLI
. The Reader role is more restrictive, with read-only access. For more information on Role-Based Access Control (RBAC) and roles, see this document RBAC: Built-in roles.
When restricting a service principal's permissions, the Contributor role should be removed.
This example adds the Reader role and removes the Contributor role:
az role assignment create --assignee APP_ID --role Reader
az role assignment delete --assignee APP_ID --role Contributor
Note: If your account doesn't have permission to assign a role, you see an error message that your account does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'. Contact your Azure Active Directory admin to manage roles.
Microsoft recommends to use the Contributor role at minimum for a service principal. This role has full permissions to read and write to an Azure account.
For more information refer this Microsoft doc :
I have a SPN/AppRegistration, that has contributor access to subscription 1, 2.
This SPN will be used by an external service to access the subscriptions1,2 to deploy resources.
How can this external service list all the subscriptions that the SPN has contributor access to?
There is not an endpoint which can list all the subscriptions of an SPN in Azure Rest API.
The quickest way to check which subscriptions the SPN has access to is using Azure CLI.
Sign in with the SPN:
az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID
Then all the subscriptions which the SPN has access to will be listed.
But it won't show the Role name "contributor". So just make sure that the SPN doesn't have any roles other than "contributor".
If the SPN has a role which is not "contributor" for a subscription, the subscription will also be listed here. In this case, please select the subscription in Powershell and then use az role assignment list --query "[?principalName=='{SPN_name}'].roleDefinitionName" to see its role in this subscription.
When I run az role assignment list --subscription $sub_id, I get a list of ~20 service principals. All have Contributor access. Only 1 is named (the one I created). The others show "principalName": "",.
There is only 1 service principal showing in AppRegistrations in Azure portal.
Can someone help me understand what these SP's might be?
I am trying to create a nested ARM-template to deploy resources to subscriptions in different Azure AD tenants.
For guidance I used this site: Deploy Azure resources to more than one subscription or resource group
There it says "If the specified subscription exists in a different Azure Active Directory tenant, you must add guest users from another directory." which leads me to believe that this should be possible.
I have an account in Tenant A (6f16...) which is Azure AD Global Administrator and Contributor to the CSP Subscription (04c5...) which is assigned to Tenant A.
I have added this account in Tenant B (1ffc...) as "New guest user" and assigned him as Contributor to the Pay-As-You-Go Subscription (ebda...) and also made him Global Administrator in the Azure AD from Tenant B.
To keep it simple I used the first example template on the site which should deploy two storage accounts in two different resource groups and two different subscriptions.
In the parameters file I indicated for 'secondSubscriptionID' the subscription ID (ebda...) assigned to Tenant B (1ffc...) and an existing resource group in that subscription for 'secondResourceGroup':
...
"secondResourceGroup": {
"value": "existing-resource-group-in-Ten-B" },
"secondSubscriptionID": {
"value": "ebda..." },
...
I am trying to deploy it through Azure CLI:
az login -u <emailaddress> -p <pw>
az account set --subscription 04c5...
az group deployment create --resource-group "existing-resource-group-in-Ten-A" `
--template-file stor.temp.json --parameters #stor.para.json
I receive this error message:
Azure Error: CrossTenantDeploymentNotPermitted
Message: The template deployment tries to deploy resources to subscription 'ebda...'.
However, the current tenant '6f16...' is not authorized to
deploy resources to that subscription.
Please see https://aka.ms/arm-template/#resources for usage details.
I received the same error message in the Azure Portal or with PowerShell. I also tried it with with other tenants/subscriptions.
Am I missing some permissions? Is this even supported?
Is there a better way to deploy resources to multiple tenants than this one?
You login into tenant A and set subscription to 0c45 to tenant A but
you reference subscription ebda in tenant B in your ARM Templates.
You have to login and set Tenant B / subscription ebda.
https://github.com/MicrosoftDocs/azure-docs-cli/issues/667
az login --username <myEmailAddress> -t <tenantIDofTenantB>
az account set --subscription <TenantBSubscriptionId>
az group deployment create ......