I am trying to make a program that does secret rotation for Azure resources. One of the secrets I want to rotate is a Service principal password. I was wondering if I have the ability to programmatically do the following:
Make a new password for an existing service principal
Delete a password for an existing service principal
I haven't been able to find anything in the docs for the C# sdk, the REST API, the cli, or Powershell. Any help would be appreciated. Thanks!
That's relatively simple stuff that can be achieved with Azure CLI. Make sure you have Azure CLI 2.0 installed. To manage SP's use: az ad sp (check what it does with az ad sp --help).
To manage credentials use: az ad sp credential (it has delete/list/reset commands available). Using this CLI commands you should be able to achieve the desired effect.
Theres this little utility on Github, that rotates it through an azure function. C# code with Managed Identity
https://github.com/3mcloud/azure-keyvault-rotator
https://abschmidt.medium.com/rotating-service-principal-secrets-automatically-in-azure-key-vault-c4f04a84c9af
Try the powershell command below.
Create new password: New-AzureADApplicationPasswordCredential
Delete a password: Remove-AzureADApplicationPasswordCredential
Powershell and CLI:
az ad sp credential reset --name <objectid>
Related
I have created a docker container and generated final artifact of my azure function app code. Azure Cli is already installed in the container. Is it possible to deploy to Azure using Azure Cli and pass the credentials along?
I tried the following command (example credentials):
az functionapp deployment user set --user-name "MY_USER" --password "MY_PASS" --subscription "MY_SUBSCRIPTION"
But it results in the following error:
Subscription 'MY_SUBSCRIPTION' not recognized. ValidationError: Please run 'az login' to setup account.
If I login (which requires entering a pass code to a browser), then the command above seems to be working.
This is going to be part of CI/CD and manual login is not a solution. Any ideas?
You would need to use a service principle to authenticate. But since you mentioned you are using Jenkins, fortunately there are rich set of plugins available for different Azure resources which can handle the authentication for you if you setup in your Jenkins dashboard. For example, in this case you are using az cli for which you can install https://plugins.jenkins.io/azure-cli/
Yes, you need to be authenticated. Here you have several authentication options: Sign in with Azure CLI
Authenticating with a service principal is the best way to write secure scripts or programs
Sign in with a service principal
I am using Terraform cloud and I don't want to use permanent keys in it. So, is there any to create a temporary keys in Azure Cloud(like we can create in AWS).
When you are authenticating to Azure Cloud via Azure service principal, by default, the Az CLI command will get a password for this service principal with a one-year expiration date.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscription_id>"
from your comments, in fact you want to get this password to expire in a short time. You can use az ad app credential reset to append or overwrite an application's password or certificate credentials.
For example, reset the application password with the following Az CLI commands.
az ad app credential reset --id <appId> --password <sp_password> --end-date 2020-08-13T11:59:59+00:00
For more information, you could read the Relationship between application objects and service principals
By creating a ServicePrincipal in AzureAD you're also able to assign a LifetimePolicy (tokenLifetimePolicies). This way you're able to have an "end of life" for the token.
Here's also a short how to on creating a new ServicePrincipal.
Alternatevily you could use this new preview feature: Configurable token lifetimes in Microsoft identity platform (Preview).
As it is a preview feature you're not supposed to use it in production environments.
I want to create a VM instance on azure through ansible/shell script from my machine.
ways i have found
Installing az cli on my machine, az login and create instance.
Problem with az cli :In this way i can create instance but i need a session login for infinite time unless i logout. If i logout or system logs me out then i have to login manually with portal to cli which i don't want.If there is any automate process to login with keys or passwords.
can anyone suggesst me how can i acheive ?
For your requirement, you can use the service principal to login both for the Azure CLI and ansible. In this way, it works as the username and password so that you need not log in with portal.
You can follow steps via the Azure CLI command to create the service principal and use it to log in. And the ansible steps here.
I'm struggeling to find a way how one can add/create a key for the app in Azure AD using CLI?
What I mean by the key is authentication token with the expiry time under AD->App Name->Settings->Keys.
All of the documentation I have found so far is for adding everything but the key as if Microsoft again decided that it's better to CLICK like a monkey rather then use CLI or API.
Is this possible, can you create the key through CLI?
For a new Azure AD app, you could specify a key with Azure Cli 2.0. For example.
az ad app create --display-name "test" --homepage "http://localhost" --identifier-uris "https://localhost" --password "123adfaesdf"
You could use az ad app update to modify expiry time.
However, currently, Azure Cli does not support add a new key for an existing app. You also could refer to this similar question.
I want to run a template on Microsoft Azure using ansible script. For that I have to set the client_id, secret and tenant_id. I am not sure where can I find it on Microsoft Azure?
Well, for that you have to create an Azure AD Application and use that as an Identity. Here's how you do it: https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
I see no point I
in typing all of the article here.
So the clientID is the ID of an application you can look up on the portal. Secret is what you create (that is visible only when you create it, after that you can't look it up). And the tenantID is the tenantID of your Azure AD
please be sure what client_id orother things you want.
If you asking about get in connection with Azure account then it provides 2 things:
Azure Publish setting file and your subscription id.
So you can check for subscription_id (under settings on Azure portal)
HTH