Create service principal programmatically in Azure Python API

Question

How can I, using the Azure Python API, create a full set of credentials that can later be used to start and deallocate all VMs in a named resource group, without any other permissions?

I have thoroughly researched the example code and both official and unofficial documentation, but I don't even know where to start...

I know I will need a tenant ID, client ID, client secret and subscription ID. Which of those can I make using an API, and how would I go about assigning roles to allow for starting/deallocating VMs of an existing resource group?

Sample code highly sought after, but will take any hint!

Answer 1

To anyone still arriving at this question, python's azure-rbac has been deprecated since December 20, 2022 (but not widely documented, at the time of this comment).

Seems like the Azure CLI is the best solution right now , with Graph API being another possible course but that's also not very documented.

Answer 2

You need the azure-graphrbac package to create a Service Principal:

• https://learn.microsoft.com/python/api/overview/azure/activedirectory

The closer to a sample might be this unittest:

• https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/graphrbac/azure-graphrbac/tests/test_graphrbac.py

For role and permissions, you need azure-mgmt-authorization:

• https://learn.microsoft.com/python/api/overview/azure/authorization

Best sample for this one, is probably the sub-part of this sample:

• https://github.com/Azure-Samples/compute-python-msi-vm#role-assignement-to-the-msi-credentials

"msi_identity" is a synonym of "service principal" in your context.

Note that all of this is supported by the CLI v2.0:

• https://learn.microsoft.com/cli/azure/ad/sp
• https://learn.microsoft.com/cli/azure/role/assignment

It might be interested to test the CLI in --debug mode and sniffing in the code repo at the same time:

• https://github.com/Azure/azure-cli

(full disclosure, I work at MS in the Azure SDK for Python team)