Reputation: 325
Grant Security Reader role to an Azure Service Principal in az cli
I'm trying to allow a service principal in Azure to read from Azure Active Directory in order to perform lookups against AAD when using Terraform.
I'm pretty sure that the role required is the Security Reader role, however, I'm not sure what the context needs to be in order to add the service principal to the role. I'm assuming it is on the tenantId, but not sure the format that the az role assignment command then needs?
The code I'm currently using is as follows:-
sp=$(az ad sp list --query "[?displayName=='[my app]'].appId" --output tsv)
tenantId=$(az account show --query tenantId --output tsv)
az role assignment create --role "Secuity Reader" --assignee $sp --scope $tenantId
But this does not validate against the scope correctly, so it's clearly not just the tenant id. I know for subscription level scope it would be /subscriptions/[subscription id]... etc, but I don't know what the format would be for tenancy level permissions?
Upvotes: 0
Views: 675
Answers (2)
Reputation: 686
Use az rest or curl and follow the documentation for more details
Assign an Azure role
something like this,
az rest --method PUT --resource "https://management.azure.com/" --uri "https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2015-07-01" --headers 'Content-Type=application/json' --body $jsonBody
use jsonBody variable to build json Object as per documentation link.
Upvotes: 1
Reputation: 2507
The az role assignment command is a subscription based command, using this you can only add assignments to specific subscriptions so called RBAC (Resource Based Access Control) assignments.
What you are searching for is adding the role to the Azure AD.
To show you to add a this is how you add an AAD Role to a user with PowerShell: https://learn.microsoft.com/en-us/powershell/module/azuread/add-azureaddirectoryrolemember?view=azureadps-2.0
Add-AzureADDirectoryRoleMember
-ObjectId <String>
-RefObjectId <String>
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
[<CommonParameters>]
This is how to add an RBAC role with PowerShell: https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-4.4.0
New-AzRoleAssignment
-ObjectId <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
It is two totally different things using two different modules. I don't know if there is an addon to CLI to support the AzureAD module.
Upvotes: 1
Related Questions
- Assigning Azure service roles as a Service Principal
- How to assign Global Administrator role to a Service Principal in Azure?
- Terraform - Azure Service Principal deployment - insufficient permissions
- give access to service principal which is in another azure tenant
- Grant read access to a user assigned identity to a storage account with Azure
- Assign role to user using Service principal
- Azure Service Principal gets "Authorization_RequestDenied" when used in Terraform
- Assign a managed identity access to an application role using Terraform
- How to create service principal in azure using azuread_application in terraform, Error Insufficient privileges to complete the operation
- Terraform fails using an Azure service principal for authentication