What is Service Principal?
Service Principal is an application within Azure Active Directory, which is authorized to access resources in Azure. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
Serverless360 uses the authentication tokens of the Service Principal to manage the resources, this is achieved by associating the Azure Service Principal with necessary permissions.
These permissions are restricted to exactly what Serverless360 can do.
The necessary activities to perform such restrictions include:
- Create a Service Principal.
- Authorize and Assign a role to the Service Principal.
To associate a Service Principal with Serverless360, the following values are required:
- Tenant Id - Azure Active Directory Id.
- Subscription Id - The Subscription Id of the Azure Subscription in which the resource exists.
- Client Id - Id of the Service Principal object / App registered with the Active Directory.
- Client Secret - Application password.
These values can be collected from the Azure portal in the following way.
Create a Service Principal
To create a service principal, perform the following steps:
Step 1: Navigate to the Azure Active Directory tab in the left side menu in the Azure portal and click App registrations.
Step 2: Click on the New registration button.
Step 3: Provide a Name for the Service Principal. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application that needs to be created. Enter the URI to which the access token is sent to. Click on the Register button.
Step 4: Once the Service Principal is created successfully, it will be listed in the App Registration grid.
Azure Tenant ID
In Azure Active Directory (Azure AD), a tenant is a representative of an organization.
It is a dedicated instance of the Azure AD service that an organization receives and owns when it creates by signing up for a Microsoft Azure account.
Each Azure AD tenant is distinct and separate from other Azure AD tenants.
In order to obtain the Tenant ID, perform the following steps:
Step 1: Click on the name of the Service Principal.
Step 2: The required Tenant Id is the Directory (tenant) ID from the Essentials section.
Get Subscription ID
A Subscription ID is a GUID that uniquely identifies a Subscription.
In order to obtain the Subscription ID, perform the following steps:
Step 1: Navigate to the Subscriptions tab in the left side menu.
Step 2: All the subscriptions will be listed in a grid. Copy the Subscription Id (where all the desired resources are present) from the Subscription ID column.
Client ID and Client Secret
A Client ID is a 16-character string that represents the application.
Follow the below steps to obtain the Client ID:
Step 1: Click on the name of the Service Principal.
Step 2: The required Client Id is the Application (client) ID from the Essentials section.
Secret key is a security key that Windows Live ID uses to encrypt and sign all tokens. It is used by the application to prove its identity when requesting a token.
To obtain the Client Secret, follow the below steps:
Step 1: Click on Certificates & secrets under the Manage section from the left pane.
Step 2: Click on New client secret, provide the Description and Expiry time, and Click Add.
Step 3: Once saved, it will show the Client Secret. This Key will only be shown once. This value should be copied and saved.
Authorize Service Principal and Role Assignment
To access the resources in a subscription, the application must be assigned to a role. The right permissions for each role are defined based on different use cases. The scope of the application can be set at the level of the subscription, resource group, or resource.
Permissions are inherited to lower levels of scope. For example, if an application has the Contributor / Owner role for a resource group, it can access the resource group and any resources it contains.
To authorize the service principal to access a Subscription:
Step 1: Navigate to that Subscription. Click on Access control (IAM).
Step 2: Click on Add role assignment. A blade will appear on the right side.
Step 3: In the Role drop-down, there will be pre-defined roles scoped to specific resource types/resources with different permissions like Reader, Manager, etc.
Step 4: Select Contributor from the drop-down. In the next input select (User, group, or service principal) as security principal. In the next input provide the Name of the service principal. It will list the service principals and users for the given name. More than one Service Principal/User can be selected. Select the desired Service Principal’s name and click Save.
It may take some time for the above configurations to take effect.
Why does Serverless360 need Contributor access for the Service Principal?
Serverless360 has got capabilities to manage and monitor Azure resources. We need to access the resources in their subscription and perform operations on them. The required permission to achieve these capabilities is Contributor access. With this access, it can access the resource group and any resources it contains.
If the contributor access is not given, the users can only view the resources that are listed in Serverless360 but cannot perform any operations or monitor them.
Please refer to this Microsoft documentation
Now the created Service Principal can be associated with Serverless360.
To know more about Service Principals and the above process, read the following articles from Microsoft: