When using Azure, there are several reasons why you may be required to create a Service Principal. Such as
- Kubernetes
- Ansible
- Custom Applications
While Microsoft's Official Documentation tells you everything you need to know, we wanted to provide you with a quick and safe way to create a new Service Principal without using the Azure Portal and in a way that can be programmatically integrated into your existing IaC automation. Follow the directions below to create a Service Principal in Azure using the Azure CLI.
Note: This article was tested on Ubuntu 18.04.3 LTS
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
Use the Azure CLI to create a new Service Principal in the target Azure Subscription.
AZURE_SP=$(/usr/bin/az ad sp create-for-rbac \
--role "contributor" \
--name "iac-sp" \
--years 3)Note: When you don't supply a value for --role, then the Service Principal will be granted contributor rights across the entire Subscription. Additionally,the credentials are valid for 1 year by default
You should see the following output.
Changing "iac-sp" to a valid URI of "http://iac-sp", which is the required format used for service principal names
Creating a role assignment under the scope of "/subscriptions/00000000-0000-0000-0000-000000000000"
Retrying role assignment creation: 1/36
Retrying role assignment creation: 2/36
Retrying role assignment creation: 3/36The Password that was automatically generated by Azure for the Service Principal is retrievable from the $AZURE_SP variable.
You can echo it out using the following command.
echo $AZURE_SP | jq .password | tr -d '"'You can use the following syntax below to store the Password in a variable and then add it to an existing Azure Key Vault.
IAC_SP_PASSWORD=$(echo $AZURE_SP | jq .password | tr -d '"')
/usr/bin/az keyvault secret set \
--name "iac-sp-password" \
--vault-name "myiacvault" \
--value "$IAC_SP_PASSWORD" \
--output none