61

My requirement is simple. I want to login to Azure through my shell script in non-interactive mode, but "az login -u username -p password" command gives the following error:

Get Token request returned http error: 400 and server response:
{"error":"invalid_grant","error_description":"AADSTS70002: Error
validating credentials. : SAML token is invalid. : The element 
with ID 'xxxxxx' was either unsigned or the signature was 
invalid.

Some site told me to create a service principal. Now my question is, what is a service principal, and how do I create a service principal so that I can execute my commands (for creating different resources like app gateway) from my shell script?

toraritte
  • 6,300
  • 3
  • 46
  • 67
BlindSniper
  • 1,731
  • 3
  • 16
  • 30

3 Answers3

76

Please refer to this official document.

An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. Think of it as a 'user identity' (login and password or certificate) with a specific role, and tightly controlled permissions to access your resources. It only needs to be able to do specific things, unlike a general user identity. It improves security if you only grant it the minimum permissions level needed to perform its management tasks.

If you want to create a new service principal(sp) with Azure CLi 2.0. You could login with your Azure AD user. Then execute following command.

az ad sp create-for-rbac --name {appId} --password "{strong password}"

The result like below:

{
  "appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d",
  "displayName": "MyDemoWebApp",
  "name": "http://MyDemoWebApp",
  "password": {strong password},
  "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

appId is your login user, password is login password.

After the sp is created, you also need give it Contributor role, then you could manage your Azure resource.

az role assignment create --assignee <objectID> --role Contributor

Now, you could login in non interctive mode with following command.

az login --service-principal -u <appid> --password {password-or-path-to-cert} --tenant {tenant}
Shui shengbao
  • 18,746
  • 3
  • 27
  • 45
  • what is appid here my problem is that I need several reources to be deployed based on certin calculation in shell resources could be public Ip or application gateway etc. – BlindSniper Jan 05 '18 at 08:13
  • If you want to deploy resources to Azure, you need create a sp and give it owner role, of course you could give custom role that only could create public IP and gateway. – Shui shengbao Jan 05 '18 at 08:17
  • 3
    When you login Azure with cli 2.0. appid is user name. It also called client id. password called client secret. – Shui shengbao Jan 05 '18 at 08:18
  • Appid is the new user or my existing login id – BlindSniper Jan 05 '18 at 08:18
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/162572/discussion-between-shengbao-shui-msft-and-blindsniper). – Shui shengbao Jan 05 '18 at 08:19
9

Service principal just work as an impersonation for user in Azure AD. Refer - https://sanganakauthority.blogspot.com/2019/04/how-to-create-service-principal-or-app.html

Using this you can perform any type of management task against Azure using REST APIs. This way you avoid need of providing credentials in pop up and hence help to automate things in Azure using REST APIs.

kunal
  • 456
  • 5
  • 4
5

Here your go: Use portal to create an Azure Active Directory application and service principal that can access resources.

When you have an application that needs to access or modify resources, you must set up an Azure Active Directory (AD) application and assign the required permissions to it. This approach is preferable to running the app under your own credentials because:

  • You can assign permissions to the app identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the app needs to do.
  • You do not have to change the app's credentials if your responsibilities change.
  • You can use a certificate to automate authentication when executing an unattended script.
rickvdbosch
  • 14,105
  • 2
  • 40
  • 53