Menu
My requirement is simple. I want to login to Azure through my shell script in non-interactive mode, but "az login -u username -p password" command gives the following error:
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. : SAML token is invalid. : The element with ID 'xxxxxx' was either unsigned or the signature was invalid. Some site told me to create a service principal. Now my question is, what is a service principal, and how do I create a service principal so that I can execute my commands (for creating different resources like app gateway) from my shell script?
484
A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
View the service principal Select Azure Active Directory and then select Enterprise applications. Under Application Type, choose All Applications and then select Apply. In the search filter box, type the name of the Azure resource that has managed identities enabled or choose it from the list.
The key difference between Azure service principals and managed identities is that, with the latter, admins do not have to manage credentials, including passwords. To create a managed identity, go the Azure portal and navigate to the managed identity blade. Then, assign a role to the identity.
If you are the admin of your Azure Active Directory, you can grant the user Application administrator role. Then the user will be able to create service principals.
Please refer to this official document.
An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. Think of it as a 'user identity' (login and password or certificate) with a specific role, and tightly controlled permissions to access your resources. It only needs to be able to do specific things, unlike a general user identity. It improves security if you only grant it the minimum permissions level needed to perform its management tasks.
If you want to create a new service principal(sp) with Azure CLi 2.0. You could login with your Azure AD user. Then execute following command.
az ad sp create-for-rbac --name {appId} --password "{strong password}" The result like below:
{ "appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d", "displayName": "MyDemoWebApp", "name": "http://MyDemoWebApp", "password": {strong password}, "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } appId is your login user, password is login password.
After the sp is created, you also need give it Contributor role, then you could manage your Azure resource.
az role assignment create --assignee <objectID> --role Contributor Now, you could login in non interctive mode with following command.
az login --service-principal -u <appid> --password {password-or-path-to-cert} --tenant {tenant} Service principal just work as an impersonation for user in Azure AD. Refer - https://sanganakauthority.blogspot.com/2019/04/how-to-create-service-principal-or-app.html
Using this you can perform any type of management task against Azure using REST APIs. This way you avoid need of providing credentials in pop up and hence help to automate things in Azure using REST APIs.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
