What is Azure Service Principal?

azure azure-cli
BlindSniper picture BlindSniper · Jan 4, 2018 · Viewed 62k times · Source

My requirement is simple. I want to login to Azure through my shell script in non-interactive mode, but "az login -u username -p password" command gives the following error:

Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. : SAML token is invalid. : The element with ID 'xxxxxx' was either unsigned or the signature was invalid.

Some site told me to create a service principal. Now my question is, what is a service principal, and how do I create a service principal so that I can execute my commands (for creating different resources like app gateway) from my shell script?

Answer

Shui shengbao picture Shui shengbao · Jan 5, 2018

Please refer to this official document.

An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. Think of it as a 'user identity' (login and password or certificate) with a specific role, and tightly controlled permissions to access your resources. It only needs to be able to do specific things, unlike a general user identity. It improves security if you only grant it the minimum permissions level needed to perform its management tasks.

If you want to create a new service principal(sp) with Azure CLi 2.0. You could login with your Azure AD user. Then execute following command.

az ad sp create-for-rbac --name {appId} --password "{strong password}"

The result like below:

{
  "appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d",
  "displayName": "MyDemoWebApp",
  "name": "http://MyDemoWebApp",
  "password": {strong password},
  "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

appId is your login user, password is login password.

After the sp is created, you also need give it Contributor role, then you could manage your Azure resource.

az role assignment create --assignee <objectID> --role Contributor

Now, you could login in non interctive mode with following command.

az login --service-principal -u <appid> --password {password-or-path-to-cert} --tenant {tenant}

Related questions

Unable to connect to the server: dial tcp [::1]:8080: connectex: No connection could be made because the target machine actively refused it

Am working on Azure Kubernates where we can store Docker Images in Azure. Here am trying to check my kubectl version, then am getting Unable to connect to the server: dial tcp [::1]:8080: connectex: No connection could be made because the …

Read More
Azure CLI vs Powershell?

Not precisely able to understand the merit of Azure CLI on Windows environment. Is it targetted for the audience who want to manage Azure IAAS from Linux environment? I thought Powershell core is going to be the way for non-Windows …

Read More
Azure CLI in Git Bash

I am trying to use a bash (sh) script on windows to run a test deployment. I am running the script from the gitbash console so that I have a copy of bash, but doing so means that the azure …

Read More