Create service principal programmatically in Azure Python API - McMap

About

Create service principal programmatically in Azure Python API

Asked 24/12, 2017 at 4:44 Answered 19/9, 2023 at 13:32

Solved python azure rbac service-principal

S

2

3

How can I, using the Azure Python API, create a full set of credentials that can later be used to start and deallocate all VMs in a named resource group, without any other permissions?

I have thoroughly researched the example code and both official and unofficial documentation, but I don't even know where to start...

I know I will need a tenant ID, client ID, client secret and subscription ID. Which of those can I make using an API, and how would I go about assigning roles to allow for starting/deallocating VMs of an existing resource group?

Sample code highly sought after, but will take any hint!

Shulem answered 24/12, 2017 at 4:44 Comment(3)

it would be so much easier doing this manually. why do you want to créate service principal in code when its a 1 time thing? – Striking 24/12, 2017 at 7:27

Because, why do a computer's job? My program sets up custom tailored clusters from scratch, and this is the last step. If user intervention i required it defeats the purpose of the app. – Shulem 24/12, 2017 at 8:47

Well its not for automation's sake :) phew I guess I'm lucky! – Shulem 24/12, 2017 at 12:3

C

6

You need the azure-graphrbac package to create a Service Principal:

https://learn.microsoft.com/python/api/overview/azure/activedirectory

The closer to a sample might be this unittest:

https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/graphrbac/azure-graphrbac/tests/test_graphrbac.py

For role and permissions, you need azure-mgmt-authorization:

https://learn.microsoft.com/python/api/overview/azure/authorization

Best sample for this one, is probably the sub-part of this sample:

https://github.com/Azure-Samples/compute-python-msi-vm#role-assignement-to-the-msi-credentials

"msi_identity" is a synonym of "service principal" in your context.

Note that all of this is supported by the CLI v2.0:

It might be interested to test the CLI in --debug mode and sniffing in the code repo at the same time:

https://github.com/Azure/azure-cli

(full disclosure, I work at MS in the Azure SDK for Python team)

Christinchristina answered 24/12, 2017 at 7:30 Comment(9)

Updated link for the first unittest: github.com/Azure/azure-sdk-for-python/blob/master/sdk/graphrbac/… – Czarist 26/6, 2019 at 17:51

@Laurent, Can Microsoft add more description and comments in their unittest and SDK modules docs? It seems like there is nothing in code or on any packages or modules at all. – Prison 23/12, 2019 at 15:17

Could you create an issue in the azure sdk for python repo asking for more doc and things you need? Thanks! github.com/Azure/azure-sdk-for-python/issues – Christinchristina 24/12, 2019 at 0:3

@LaurentMazuel I was looking at the role assignment step in your answer. I see that the authorization_client.role_assignments.create() is taking in a res_group_id,role_assign_name and a role_assign_parameter) However, I was looking at the offical doc at learn.microsoft.com/en-us/python/api/azure-mgmt-authorization/azure.mgmt.authorization.v2018_09_01_preview.operations.roleassignmentsoperations?view=azure-python#create-scope--role-assignment-name--parameters--custom-headers-none--raw-false----operation-config- I see it's take a parameter called 'scope' instead of the 'res_group_id'? – Prison 23/1, 2020 at 16:31

The scope can be any REST resource instance. For example, use '/subscriptions/{subscription-id}/' for a subscription, '/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}' for a resource group. So res_group_id is a valid scope – Christinchristina 24/1, 2020 at 17:59

@LaurentMazuel I tried the test code you provided above, but once I tried it I got hit by this exception " raise models.GraphErrorException(self._deserialize, response) azure.graphrbac.models.graph_error_py3.GraphErrorException: Insufficient privileges to complete the operation." do know what should I do? – Herra 20/4, 2020 at 15:21

You need to discuss with your Azure admin, as the message says there is insufficient permissions for this operation. – Christinchristina 21/4, 2020 at 22:29

@LaurentMazuel, what permission levels are required to create a service principal programmatically via the python SDK? I had to have GA create this. Would be nice to know what the minimum perm level is so we can enable a more self-service solution. Thank you. – Cathiecathleen 30/4, 2020 at 4:51

@LennartRolland, did you ever get a solution put together here? It would be of great benefit to share. – Cathiecathleen 30/4, 2020 at 4:52

E

0

To anyone still arriving at this question, python's azure-rbac has been deprecated since December 20, 2022 (but not widely documented, at the time of this comment).

Seems like the Azure CLI is the best solution right now , with Graph API being another possible course but that's also not very documented.

Eutectoid answered 19/9, 2023 at 13:32 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.