Built on Cloud

wire-mesh-fence

Create Azure Service Principal using CLI

Azure service principal is an identity used for automated tools, applications, and other hosted services. In this post, we show how to create a service principal using Azure CLI in a bash script.

In Azure, Security
wire-mesh-fence

Introduction 

There are different scenarios in which we need a more restricted identity to access and manage Azure resources. For example, applications, hosted services, or automated tools might need access to Azure resources. It is not recommended to use a normal user identity for these situations.  

Instead of using a fully privileged user principal, we should use an Azure identity called service principal. The service principal allows us to restrict access to Azure resources by defining roles and scopes. The result is an identity with the least privileged permission set following the principle of least privilege

Permission Requirements 

You must have sufficient permission to create a service principal in your tenant. In addition, to assign a role to a service principal, you must have Owner or User Access Administrator role.  

Create Service Principal 

Creating a service principal is easy using the command below: 

az ad sp create-for-rbac 

Important optional variables are name, role, and scopes. The name is the display name of the service principal. We would use role and scopes to restrict the permissions. Here is an example script: 

Access the Github code repository here. 

#!/bin/bash
GREEN=$'\e\033[0;32m'
BLUE=$'\e\033[1;34m'
NC=$'\e\033[0m' # No Color

###################### Select default subscription ######################
echo
echo "${GREEN}Select your Azure Subscription OR press Enter to use the default ${NC}"
echo  
az account list -o table 
echo
read -p "Name or ID of the subscription: " subscription
subscription=${subscription}
if [ -z "$subscription" ]
then
        echo "${GREEN}No subscription entered, using default subscription${NC}"
else
        echo "${GREEN}Setting selected subscription ...${NC}"
        az account set --subscription $subscription
fi
subscriptionID=$(az account show --query id -o tsv)
# Verify the ID of the active subscription
echo "${GREEN}Using subscription ID:${BLUE} $subscriptionID${NC}"

###################### Creating Service Principal ######################
echo
read -p "Enter the Service Principal name you wish to create [${GREEN}Postfix '-sp' will be added${NC}]: " servicePrincipalName
servicePrincipalName="${servicePrincipalName}-sp"
   
read -p "Enter the role name to be assigned to service principal: " roleName
roleName=${roleName}

read -p "Enter the resource group name for role assignment scope: " resourceGroup
resourceGroup=${resourceGroup}
echo

echo "${GREEN}Creating SP for RBAC with name $servicePrincipalName, with role $roleName and in scopes /subscriptions/$subscriptionID/resourceGroups/$resourceGroup${NC}"
echo
az ad sp create-for-rbac --name $servicePrincipalName --role $roleName --scopes /subscriptions/$subscriptionID/resourceGroups/$resourceGroup

Run the script: 

bash sp_create.sh 

Variables 

The script will prompt you to set the working subscription in which the service principal is created. It also asks you to give a name to the service principal. Additionally, you could assign a role to the service principal by giving a role name (such as “Reader” or “Contributor”) and the scope of the role assignment. In this script, the scope is set at the resource group level. If you wish to change the scope, you need to modify the script based on your needs.  

Output 

The output of the script includes service principal credentials (password) that you need to protect. Make sure to save the password. If you forget the password, it is possible to reset the credentials. By default, the credentials are valid for 1 year. If you wish to change the validity duration, use the years variable.  

The output also includes a tenant ID and AppId which is required for Azure CLI login.  

Login with service principal 

Once the service principal is created, you can use its identity to sign in to Azure CLI.  

az login --service-principal --username appID --password PASSWORD --tenant tenantID 

Then go ahead and use this identity for intended actions.  

Manage service principals 

Some of the useful commands to manage your service principals are related to listing and deleting service principals.  

List 

You can list your service principals using the command below: 

az ad sp list --show-mine 

Delete 

Delete a service principal using this command. The ID can be retrieved using the list command.  

az ad sp delete --id 00000000-0000-0000-0000-000000000000 

Notes 

Currently, service principal can only be created directly through Azure CLI or PowerShell. However, when you create an application through Azure portal, a service principal identity is automatically created along with the application object. Read more here.  

It is possible to authenticate your service principal using a certificate (instead of password authentication). Please refer to this source to learn more.  

If you need to assign fine-grained permissions to the service principal, consider using a custom role. I wrote another blog post explaining how to do that.  

Resources 

  • jiasli’s great blog post 

# #

Related Posts

Azure Lab Services for Teaching

AWS Security Jam, what and why?

How to create a flexible VM Bicep Template 

Transfer files between local and remote machines