how to generate token for multiple service principal with different roles ,currently I have set environment variable(using system.getenv()) for one service principal account , please suggest for multiple account
Related
There are 2 commands I am confused for some time:
gcloud iam service-accounts get-iam-policy
gcloud iam service-accounts set-iam-policy
from the --help command, these 2 commands treat service account as a resource, most often I use service account as an identity, for example, in a project, set policy by binding role with service account so this service account can operate on something in that project.
Can someone please point out what is the usage to attach the policy to service account? how does service account act as a resource rather than an identity?
As explained in this below part of the official documentation Managing service accounts
:
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
So, use it as a resource has to goal for you to manage who can use and control the service account. To provide some additional details, as in this example here, with the policies attached to them, you can configure the level of access that different users can have within service accounts - as mentioned there, you can configure that some users have viewer access, while others have editor level.
To summarize, the functinality of attaching policies to a service account is for you to set different levels of access and permissions to users who can access the service account.
I'm trying to create a release pipeline in Azure DevOps. I created an App service resource in Azure and I want to deploy my web-app to this App service through my pipeline. For that I need to create an ARM service connection. Can you please help me with understanding the difference between the types of service connections? Thanks!
What is the difference between Service Principal (automatic) and Service Principal (manual) ?
What is the difference between service principal, managed identity and publish profile?
What is the difference between Service Principal (automatic) and Service Principal (manual) ?
Service Principal (automatic): It will create an AD App along with the service principal in Azure AD for you automatically and use it in the service connection.
Service Principal (manual): You need to create the AD App along with the service principal manually in Azure AD and configure it when you create the service connection.
What is the difference between service principal, managed identity and publish profile?
When you create an AD App(App Registration) in Azure AD, it will create a service principal for you automatically in your Azure AD.
The managed identity is essentially a service principal in your AAD managed by Azure, you can use it to access azure resources in the subscription.
The publish profile is a file used to publish your web app or web job, it includes a username and password, it uses the basic auth to deploy your web app, if you use service principal/managed identity, it uses Azure AD auth.
In the quickstart it talks about creating a service principle for the current user. I want to have more of a hierarchical security structure. I would be the current user and I want to have "super-user" or admin rights to this key vault. However I have created another user that would have lower access rights. For both of these scenarios I gather I need to generate a unique service principle name. How do I generate a service principle name for an arbitrary Azure User?
You can just create another service principal name under your current account for this created user. And you just need to assign the lower access rights to the key vault for this service principal. Then the user can access to the key vault with this service principal which has lower access permission.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. You can create as many as service principals as you want for different access permissions. If you want to generate a service principal under the created user account, you might have to login as this created user. Otherwise, i am afraid it cannot be done.
You can also set the access permission for this user to this key vault directory without using service principal. See here
az keyvault set-policy --name keyVaultName --object-id userObjectId --secret-permissions permissions --key-permissions permissions
You can get the user's Object id with below command: See here
az ad user show --id <email-address-of-user>
I have a project whose resources spanned across 3 resource groups. I want to create a Service connection scoped to all those resource groups so that i can manage access at one place through that service connection. Currently i created 3 service connections scoped to each resource group. I don't want to scope it to subscription since there are other teams handling projects in that subscription. It will give me maintenance and audit issues in the future.
If i create a service principal and assign it to 3 resource groups and then attach this service principal to service connection then would it be good design?
Is there any better way to achieve this ?
When you create a new Service Connection in the Azure DevOps, it will create an Azure AD app registration, and a new service principal will be created for the Resource Group you choose.
So you can just go to any resource group and then add a principal using the Access control (IAM). Select the Add role assignment option and then select the role as a contributor in the role grid, press next. From the next screen, select user, group, or service principal as the option for Assign access to. Click on the + Select members, search for our AD Registered app name, the display name and then select the same from the result, click on the select button. Finally, click the Review + assign button.
I have written a detailed article to explain the steps, you can read that here.
You don't have to create the service principal manually. You can use the interface to create the service principal, grant permissions on the first resource group and configure the connection automatically for you.
Then once it's done, look at the service connection to identify the service principal in use, and give it permissions on the other resource groups.
And yes it is a good design, the only drawback compared to 3 service principals is that you have less granularity over who in Azure DevOps has access to each of these 3 resource groups via permissions on the service service connection(s) (as you only have one and not 3)
Azure Active Directory has the nice concept of applications and service principals to authenticate as an application e. g. for a CI platform or SaaS application.
Now there are multiple ways to create those like using MSOL with the cmdlet:
New-MsolServicePrincipal -DisplayName "My new API app" -Type password -Value $myClientSecret
This works perfectly fine (after I assign some roles to the service principal using Add-MsolRoleMember, I can access the Graph API). But I still have some questions:
Why does this cmdlet doesn't require to create the application first?
Does this cmdlet create both - an application and a service principal?
Why I don't see the application neither in the classic nor the new azure portal?
And maybe someone can answer me a fourth question: What is the difference between the above MSOL cmdlets and New-AzureRmADApplication + New-AzureRmADServicePrincipal cmdlet? When should I use which of them?
The ARM cmdlets and the new Azure AD v2 cmdlets both use the Azure AD Graph API.
However, New-MsolServicePrincipal does not. It calls out to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc using SOAP. It is a legacy API and you should not be using it.
A service principal must always have an appId, that is the client id of the Application from which it was created.
The field appOwnerTenantId identifies from what tenant the app came from. It can be null. This is the case for MS internal applications like the Graph API, Azure Portals etc. But also service principals created with New-MsolServicePrincipal, and leaving out the appId.
So the answer to question 1 and 2 is: an Application is automatically created if none is specified. But I am not sure where it is created, as it is not available through the Graph API. It is a pure service identity. And the appId is different each time, so it is not just using some placeholder app.
As for question 3: the reason you don't see the Application in the portal is because it is not available through the Graph API, it is hidden somewhere. As for the Service Principal, a very specific magic tag is required for the principal to show up in the Enterprise Applications list. And AFAIK, you can't specify it with New-MsolServicePrincipal or New-AzureRmADServicePrincipal.
The answer to your fourth question is that the MSOL cmdlets use a legacy API, whereas the two newer options use the Azure AD Graph API. And the ARM cmdlets create an application that you can see in the Portal. They still create one you can't see in the Enterprise Applications list.
The behaviour of the different cmdlets differs when it comes to creating service principals without an app though:
New-MsolServicePrincipal: Creates the principal with some kind of hidden app, similar to MS internal apps (also sets servicePrincipalType=Legacy)
New-AzureRmADServicePrincipal: Creates an application for you and then creates the service principal (the app is visible in Portal, but the principal is only visible through the app's blade, because of missing tag)
New-AzureADServicePrincipal: Does not allow you to create it without providing an appId
If you want the principal to show up in the Enterprise Applications list as if you created it through the portal, you can provide the tag necessary with the v2 cmdlet:
New-AzureADServicePrincipal -Tags #("WindowsAzureActiveDirectoryIntegratedApp") -AppId ed5fa582-3991-4114-87da-30081c4105fb
The new v2 cmdlets are the best in my opinion, at least they allow you to create a service principal in a manner similar to what the Portal does. The ARM cmdlets are fine if your purpose is to create a service identity for using RBAC in the ARM API, as the principal is visible for that.
1 and 2 - probably it is using existing office 365 application in the tenant (I believe it is hidden)?
3 - Since you created a service principal, you need to look at enterprise applications in the Azure portal to see the service principals objects in your tenant (rather than the applications tab).
4 - this link
Application object
An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The application object provides identity-related information for an application, and is the template from which its corresponding service principal object(s) are derived for use at run-time.
Consider the application object as the global representation of your application (for use across all tenants), and the service principal as the local representation (for use in a specific tenant). The Azure AD Graph Application entity defines the schema for an application object. An application object therefore has a 1:1 relationship with the software application, and a 1:n relationship with its corresponding n service principal object(s).
Service principal object
The service principal object defines the policy and permissions for an application, providing the basis for a security principal to represent the application when accessing resources at run-time. The Azure AD Graph ServicePrincipal entity defines the schema for a service principal object.
Before an Azure AD tenant will allow an application to access the resources it is securing, a service principal must be created in the given tenant. The service principal provides the basis for Azure AD to secure the application's access to resources owned by users from that tenant. A single-tenant application will have only one service principal (in its home tenant). A multi-tenant Web application will also have a service principal in each tenant where an administrator or user(s) from that tenant have given consent, allowing it to access their resources. Following consent, the service principal object will be consulted for future authorization requests.