A Service Principal is an application within Azure Active Directory, which is authorized to access resources or resource group in Azure. Serverless360 uses the authentication tokens of Service Principal to manage the resources.
To know more about Service Principals, read:
Application and service principal objects in Azure Active Directory (Azure AD)
What are service principals and where do they come from?
You can assign permissions to the service principal that are different than your own Azure account permissions. Typically, these permissions are restricted to exactly what Serverless360 can do.
This involves the following must do activities:
- Create a Service Principal
- Authorize Service Principal from Azure Portal and provide 'Contributor' access on the resource group to manage
- Register Service Principal in Serverless360
In order to associate the Service Principal with Serverless360, you will need the following values:
1.Subscription ID - The Subscription Id of the Azure Subscription in which the resource group / the resource exist
2. Tenant ID - Azure Active Directory Id
3. Client ID - Id of the Service Principal object / App registered with the Active Directory
4. Client Secret - Authentication password key for this Service Principal
The following content in this document, will help you to collect the values mentioned above.
Get Azure Tenant Id
In Azure Active Directory (Azure AD), a tenant is a representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it creates by signing up for a Microsoft Azure account. Each Azure AD tenant is distinct and separate from other Azure AD tenants.
To get the Azure Tenant ID:
- Navigate to 'Dashboard' in the Azure portal
- In the portal, navigate to the ‘Azure Active Directory’ tab in the left side menu
- Click the 'Properties' tab under the Manage section
- Click the Copy icon against the 'Directory ID' to get the Azure Tenant ID
Create a Service Principal
- Select Azure Active Directory and click 'App registrations'
- Click on the 'New Application Registration' link – this will open up a new blade to enter service principal details
- Enter a name for the Service Principal, keep the Application Type to default (Web App / API), in the 'Sign-on Url' tab enter any URL - for example – http://localhost.
- Once the Service Principal is created successfully, it will be listed in the App Registration grid
Get Client ID and Client Secret
Client ID is a 16-character string that represents the application. To get the ClientId:
- Click on the Service Principal > Copy the 'Application ID' from Essentials window. This is your 'Client ID'.
A Secret key is a security key that Windows Live ID uses to encrypt and sign all tokens. To get the Client Secret:
- Click on 'Keys' under API Access from the Settings Blade > create a key and provide a name for it. Select when it should expire and click on 'Save'.
- Once saved, it will show you the 'Client Secret'.
Authorize Service Principal from Azure Portal and Provide 'Contributor' access on the resource group to manage
To access resources that are associated in your subscription, you must assign the application to a role. The right permissions for each role is defined based on different use cases.
Permissions are inherited to lower levels of scope. For example you can add an application to the Contributor / Owner role for a resource group. This means, it can access the resource group and any resources it contains.
To authorize the service principal to access a resource group:
- Navigate to the Resource Group/ Resource > Click on “Access Control (IAM)”. As you click on Access Control – it will list all the service accounts which are authorized to access the selected Resource Group.
- Add new permission for the created Service Principal. Click on the “Add” button on the top left of this blade. Select a role and App. Please refer to the image below.
- In the Role drop-down, you will find a lot of pre-defined roles scoped to specific resource types / resource with different permissions- like Reader, Manager etc.
- Select “Contributor” from the list.
- On the next input- type the name of the service principal. It will list the service principals and users for the given name. You can select more than one Service Principal/User here. Select the desired Service Principal’s name and click “Save”.
- In few seconds the portal will notify you that the user has been added and can perform the operations with allowed permissions.
We have simplified the steps here for your ease. For more information, read:
Use portal to create an Azure Active Directory application and service principal that can access resources
Get Subscription ID
The subscription ID is a GUID that uniquely identifies your subscription to use Azure services.
Here is a quick step by step guide on how to get your Subscription ID from the New Azure Portal.
- Browse to https://portal.azure.com and Sign into your account.
- In the portal, navigate to the ‘Subscriptions’ tab in the left side menu. If the tab is not visible, then click on the ‘More services’ tab to find it.
- In the Subscriptions blade, all the subscriptions will be listed and copy the ID from ‘Subscription ID’ column.
Registering Service Principals
An illustration to help registering Service Principal in Serverless360 after all above steps are completed. A Friendly Name helps you to identify a service principal in Serverless360, if you register many.