What is Service Principal?

Introduction

Service Principal is an application within Azure Active Directory, which is authorized to access resources in Azure. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.

Serverless360 uses the authentication tokens of the Service Principal to manage the resources, this is achieved by associating the Azure Service Principal with necessary permissions.

These permissions are restricted to exactly what Serverless360 can do.

The necessary activities to perform such restrictions include:

• Create a Service Principal.
• Authorize and Assign a role to the Service Principal.

To associate a Service Principal with Serverless360, the following values are required:

• Tenant Id - Azure Active Directory Id.
• Client Id - Id of the Service Principal object / App registered with the Active Directory.
• Client Secret - Application password.

These values can be collected from the Azure portal in the following way.

Create a Service Principal

To create a service principal, perform the following steps:

Step 1: Navigate to the Azure Active Directory tab in the left side menu in the Azure portal and click App registrations.

Step 2: Click on the New registration button.

Step 3: Provide a Name for the Service Principal. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application that needs to be created. Enter the URI to which the access token is sent to. Click on the Register button.

Step 4: Once the Service Principal is created successfully, it will be listed in the App Registration grid.

Azure Tenant ID

In Azure Active Directory (Azure AD), a tenant is a representative of an organization.

It is a dedicated instance of the Azure AD service that an organization receives and owns when it creates by signing up for a Microsoft Azure account.

Each Azure AD tenant is distinct and separate from other Azure AD tenants.

In order to obtain the Tenant ID, perform the following steps:

Step 1: Click on the name of the Service Principal.

Step 2: The required Tenant Id is the Directory (tenant) ID from the Essentials section.

Client ID and Client Secret

A Client ID is a 16-character string that represents the application.

Follow the below steps to obtain the Client ID:

Step 1: Click on the name of the Service Principal.

Step 2: The required Client Id is the Application (client) ID from the Essentials section.

Secret key is a security key that Windows Live ID uses to encrypt and sign all tokens. It is used by the application to prove its identity when requesting a token.

To obtain the Client Secret, follow the below steps:

Step 1: Click on Certificates & secrets under the Manage section from the left pane.

Step 2: Click on New client secret, provide the Description and Expiry time, and Click Add.

Step 3: Once saved, it will show the Client Secret. This Key will only be shown once. This value should be copied and saved.

Authorize Service Principal and Role Assignment

To access the resources in a subscription, the application must be assigned to a role. The right permissions for each role are defined based on different use cases. The scope of the application can be set at the level of the subscription, resource group, or resource.

Permissions are inherited to lower levels of scope. For example, if an application has the Contributor / Owner role for a resource group, it can access the resource group and any resources it contains.

To authorize the service principal to access a Subscription:

Step 1: Navigate to that Subscription. Click on Access control (IAM).

Step 2: Click on Add role assignment. A blade will appear on the right side.

Step 3: In the Role drop-down, there will be pre-defined roles scoped to specific resource types/resources with different permissions like Reader, Manager, etc.

Step 4: Select Reader from the drop-down. In the next input select (User, group, or service principal) as security principal. In the next input provide the Name of the service principal. It will list the service principals and users for the given name. More than one Service Principal/User can be selected. Select the desired Service Principal’s name and click Save.

It may take some time for the above configurations to take effect.

Why does Serverless360 need Reader access for the Service Principal?

To obtain access at the cost of the user's Azure Subscription, the permission required for a Service Principal is Reader access at the Subscription level.

Users cannot view the cost of their Azure Subscription if the required access is not provided.