2

How can I, using the Azure Python API, create a full set of credentials that can later be used to start and deallocate all VMs in a named resource group, without any other permissions?

I have thoroughly researched the example code and both official and unofficial documentation, but I don't even know where to start...

I know I will need a tenant ID, client ID, client secret and subscription ID. Which of those can I make using an API, and how would I go about assigning roles to allow for starting/deallocating VMs of an existing resource group?

Sample code highly sought after, but will take any hint!

Mr. Developerdude
  • 9,118
  • 10
  • 57
  • 95

1 Answers1

6

You need the azure-graphrbac package to create a Service Principal:

The closer to a sample might be this unittest:

For role and permissions, you need azure-mgmt-authorization:

Best sample for this one, is probably the sub-part of this sample:

"msi_identity" is a synonym of "service principal" in your context.

Note that all of this is supported by the CLI v2.0:

It might be interested to test the CLI in --debug mode and sniffing in the code repo at the same time:

(full disclosure, I work at MS in the Azure SDK for Python team)

Mr. Developerdude
  • 9,118
  • 10
  • 57
  • 95
Laurent Mazuel
  • 3,422
  • 13
  • 27
  • Updated link for the first unittest: https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/graphrbac/azure-graphrbac/tests/test_graphrbac.py – Jason Wolosonovich Jun 26 '19 at 17:51
  • 1
    @Laurent, Can Microsoft add more description and comments in their unittest and SDK modules docs? It seems like there is nothing in code or on any packages or modules at all. – user1655072 Dec 23 '19 at 15:17
  • Could you create an issue in the azure sdk for python repo asking for more doc and things you need? Thanks! https://github.com/Azure/azure-sdk-for-python/issues – Laurent Mazuel Dec 24 '19 at 00:03
  • 1
    @LaurentMazuel I was looking at the role assignment step in your answer. I see that the authorization_client.role_assignments.create() is taking in a res_group_id,role_assign_name and a role_assign_parameter) However, I was looking at the offical doc at learn.microsoft.com/en-us/python/api/azure-mgmt-authorization/azure.mgmt.authorization.v2018_09_01_preview.operations.roleassignmentsoperations?view=azure-python#create-scope--role-assignment-name--parameters--custom-headers-none--raw-false----operation-config- I see it's take a parameter called 'scope' instead of the 'res_group_id'? – user1655072 Jan 23 '20 at 16:31
  • The scope can be any REST resource instance. For example, use '/subscriptions/{subscription-id}/' for a subscription, '/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}' for a resource group. So res_group_id is a valid scope – Laurent Mazuel Jan 24 '20 at 17:59
  • @LaurentMazuel I tried the test code you provided above, but once I tried it I got hit by this exception " raise models.GraphErrorException(self._deserialize, response) azure.graphrbac.models.graph_error_py3.GraphErrorException: Insufficient privileges to complete the operation." do know what should I do? – Alber Tadrous Apr 20 '20 at 15:21
  • You need to discuss with your Azure admin, as the message says there is insufficient permissions for this operation. – Laurent Mazuel Apr 21 '20 at 22:29
  • @LaurentMazuel, what permission levels are required to create a service principal programmatically via the python SDK? I had to have GA create this. Would be nice to know what the minimum perm level is so we can enable a more self-service solution. Thank you. – SeaDude Apr 30 '20 at 04:51
  • @LennartRolland, did you ever get a solution put together here? It would be of great benefit to share. – SeaDude Apr 30 '20 at 04:52