This week I had to repeat the process of creating a Service Principal in order to use the Microsoft.Azure.Management.Fluent lib with .NET Core so I decided it was time to script the process. With the following script you can Create a Service Principal and write required parameters to a .azureauth file.
You’ll need the AzureRM PowerShell module installed:
1Install-Module AzureRM
Here is the code:
1<#
2 .SYNOPSIS
3 New-ServicePrincipalAsReader is a PowerShell script to create a Read only Service Principal in Azure.
4 The script will write a file ([subscriptionName].azureauth) with all the parameters needed to use the Microsoft.Azure.Management.Fluent lib.
5 SECURITY: The file [subscriptionName].azureauth will contain the key for the Service Principal.
6
7 .DESCRIPTION
8 New-ServicePrincipalAsReader is a PowerShell script to create a Read only Service Principal in Azure.
9 The script will write a file ([subscriptionName].azureauth) with all the parameters needed to use the Microsoft.Azure.Management.Fluent lib.
10 SECURITY: The file [subscriptionName].azureauth will contain the key for the Service Principal.
11
12 .PARAMETER subscriptionName
13 The name of the subscription to connect.
14
15 .PARAMETER servicePrincipalName
16 The name of of the Service Principal. Default value is: logReader
17
18 .NOTES
19 AUTHOR: Carlos Mendible
20 LASTEDIT: August 02, 2017
21#>
22Param(
23 [Parameter(Mandatory = $true)]
24 [string]$subscriptionName,
25 [Parameter(Mandatory = $false)]
26 [string]$servicePrincipalName = "logReader"
27)
28
29# Creates an AesKey.
30function Create-AesKey() {
31 $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
32 $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
33 $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
34 $aesManaged.BlockSize = 128
35 $aesManaged.KeySize = 256
36
37 $aesManaged.GenerateKey()
38 [System.Convert]::ToBase64String($aesManaged.Key)
39}
40
41# Create a Service Principal as subscription Reader.
42# Resulting file is compatible with the Microsoft.Azure.Management.Fluent lib.
43# SECURITY ALERT: Be careful with the file and its contents
44function New-ServicePrincipalAsReader($subscriptionName, $applicationName) {
45 # Login to Azure
46 Add-AzureRmAccount
47
48 # Select the subscription
49 Write-Host "Selecting subscription '$subscriptionName'";
50 $subscriptionId = (Get-AzureRmSubscription -SubscriptionName $subscriptionName).Id
51 Set-AzureRmContext -SubscriptionId $subscriptionId;
52
53 # Get the Tenant Id
54 $tenantId = (Get-AzureRmContext).Tenant.Id
55
56 # Create an AD Application
57 Write-Host "Creating the AD Application"
58 $application = New-AzureRmADApplication `
59 -DisplayName $applicationName `
60 -HomePage "http://$applicationName" `
61 -IdentifierUris "http://$applicationName"
62
63 # Create the Key need to authenticate with this Application
64 $keyValue = Create-AesKey
65 $startDate = Get-Date
66 $endDate = $startDate.AddYears(1)
67
68 # Add a key to the Application
69 Write-Host "Creating the AD Application Credential"
70 New-AzureRmADAppCredential `
71 -ApplicationId $application.ApplicationId `
72 -Password $keyValue `
73 -StartDate $startDate `
74 -EndDate $endDate
75
76 # Create the service principal
77 Write-Host "Creating the Service Principal"
78 $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $application.ApplicationId
79 Get-AzureRmADServicePrincipal -ObjectId $servicePrincipal.Id
80
81 # Make the service principal Reader
82 Write-Host "Set the Principal as Reader"
83 $ownerRole = $null
84 $retries = 0;
85 While ($ownerRole -eq $null -and $retries -le 6) {
86 # Sleep here for a few seconds to allow the service principal application to become active
87 # (should only take a couple of seconds normally)
88 Start-Sleep 15
89
90 New-AzureRmRoleAssignment `
91 -RoleDefinitionName Reader `
92 -ServicePrincipalName $application.ApplicationId `
93 -ErrorAction SilentlyContinue
94
95 $ownerRole = Get-AzureRMRoleAssignment `
96 -ServicePrincipalName $application.ApplicationId `
97 -ErrorAction SilentlyContinue
98
99 $retries++;
100 }
101
102 # Write the Authentication data to a file. Please be careful with where you save this file!!!
103 $filePath = (Get-Location).Path + "\$servicePrincipalName.azureauth"
104 Add-Content $filePath "subscription=$subscriptionId"
105 Add-Content $filePath "client=$($application.ApplicationId)"
106 Add-Content $filePath "tenant=$tenantId"
107 Add-Content $filePath "key=$keyValue"
108 Add-Content $filePath "managementURI=https\://management.core.windows.net/"
109 Add-Content $filePath "baseURL=https\://management.azure.com/"
110 Add-Content $filePath "authURL=https\://login.windows.net/"
111 Add-Content $filePath "https\://graph.windows.net/"
112}
113
114New-ServicePrincipalAsReader `
115 -subscriptionName $subscriptionName `
116 -applicationName $servicePrincipalName
You can download the script from the Technet Script Gallery or collaborate here.
Hope it helps!
Comments