In this blog post, we’ll show you how to authenticate to Azure CLI with a Service Principal and login to Azure.
Azure CLI is a command-line utility written in Python that allows users to manage Azure resources programmatically. It is widely used by DevOps engineers, developers, and IT professionals to automate deployments, configure services, and manage cloud environments efficiently.
A Service Principal in Azure is a type of security identity used by applications, hosted services, and automated tools to access specific Azure resources. Unlike user accounts, Service Principals are not associated with any particular user. Instead, they are created with restricted permissions to perform specific tasks, enhancing security and automation capabilities.
For example, you can create a Service Principal for Terraform to provision infrastructure in Azure without requiring a user to manually authenticate each time.
Step 1: Create a Service Principal
To create a Service Principal, use the following Azure CLI command:
az ad sp create-for-rbac --name "my-service-principal" --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}Replace the placeholders with your actual subscription ID and target resource group. This command creates a Service Principal with the “Contributor” role scoped to the specified resource group. The output will include important credentials: appId, password, and tenant. Be sure to store them securely.
Step 2: Log in to Azure CLI using the Service Principal
Once your Service Principal is created, you can use the credentials to log in to Azure CLI. Here’s how:
az login --service-principal --username APP_ID --password CLIENT_SECRET --tenant TENANT_IDReplace APP_ID, CLIENT_SECRET, and TENANT_ID with the corresponding values from the previous step. This command authenticates your CLI session using the Service Principal, enabling scripts or automation tools to access Azure resources securely.
Benefits of Using Service Principals
- Security: Avoids using personal credentials in automation scripts.
- Scoping: Restrict access to specific resources.
- Automation: Ideal for CI/CD pipelines, Terraform, Bicep, and other infrastructure-as-code tools.
By leveraging Service Principals, you can build secure, automated workflows that interact with Azure in a controlled and auditable manner. Whether you’re deploying virtual machines, configuring networks, or managing containers, using a Service Principal with Azure CLI is a best practice that enhances both efficiency and security.
Let us know in the comments how you’re using Service Principals in your automation workflows!
FAQ: Is App Registration the same as Service Principal?
Not exactly. When you create an App Registration in Azure Active Directory, you’re registering an application that Azure can identify and trust. This App Registration defines the application’s identity, including redirect URIs, API permissions, and branding.
A Service Principal, on the other hand, is the security identity created for the App Registration in a specific Azure AD tenant. It’s what actually gets assigned roles and permissions. Think of the App Registration as the blueprint and the Service Principal as the instance of that blueprint in your tenant used for authentication and authorization.
Discover more from CPI Consulting Pty Ltd Experts in Cloud, AI and Cybersecurity
Subscribe to get the latest posts sent to your email.