Introduction
Cloud security is a responsibility that is shared between the cloud provider and the customer. The security responsibilities that are always the provider’s are related to the safeguarding of the infrastructure itself, as well as access to, patching, and configuration of the physical hosts and the physical network on which the compute instances run and the storage and other resources reside.
The security responsibilities that are always the customer’s include managing users and their access privileges (identity and access management), the safeguarding of cloud accounts from unauthorized access, the encryption and protection of cloud-based data assets, and managing its security posture (compliance).
An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. Think of it as a ‘user identity’ (login and password or certificate) with a specific role, and tightly controlled permissions to access your resources. It only needs to be able to do specific things, unlike a general user identity. It improves security if you only grant it the minimum permissions level needed to perform its management tasks.
Use-Case Scenario:
In this guide, I will consider a real-life example where my API needs to access a BLOB container and fetch the data for further integration, instead of giving access to a user, I can simply create a service principal and assign read permission, this would ensure that I avoid any unwanted logins\access to my subscription.
To make it more relatable with the real time scenario. I am adding a further step where I only know the storage account name and no other details. In the further steps, I will try to access the access keys and print this in the below format for integration with my models :
DefaultEndpointsProtocol=https;AccountName=blogtest0;AccountKey=+PQOSX0xxxxxxxxxxxxxxxxxxxEQ+tbxEG2nZ5ooz7pVlXmELsjgZRhMD4FZBmOr8sL1PHw==;EndpointSuffix=core.windows.net
Prerequisites :
Before you begin you should have :
- An ative Azure Subscription.
- Your account has either Owner or User Administrator role to create a service principal.
- If you don’t have the access to create service principal. You will need the pre-requisites mentioned in the step 4 below.
- Know the resource name that needs to be accessed. I have added further steps to find out the resource group name, so if you only know the resource name, we can fetch further information.
Steps to achieve this :
1.) Use Connect-AzAccount to connect your azure account.
2.) Create service principal using New-AzADServicePrincipal command. We can create service principal for a certificate or password based authentication. In this guide I am using a password based authentication.
$servprin = New-AzADServicePrincipal -DisplayName ServicePrincipalName
3.) The returned object contains the Secret member, which is a SecureString containing the generated password. Since this is a secure string, its value won’t be displayed in the console output and we need to use below steps to fetch the password. Make sure that you store this value somewhere secure to authenticate with the service principal in next steps. If you lose the password, reset the service principal credentials.
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($servprin.Secret)
$PlainSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
4.) Collect all the pre-requisites to login as a service principal. Application-id will be used as the username (refer step 2), Use the password collected in step 3, Tenant id. Now that we have all the required information we will proceed with further steps :
#Create required variables
$User = "<application_id-of-serviceprincipal>"
$PWord = ConvertTo-SecureString -String "<password-of-serviceprincipal>" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
#Login using service principal. Subscription id is an optional parameter. If you have access to multiple subscription I recommend using this parameter to set the scope.
Connect-AzAccount -Credential $Credential -Tenant '<tenant_id>' -ServicePrincipal -SubscriptionId "<subscription_id>"
#Create variables for fetching resource details and resource group
$res_name = "<resource_name>"
$res_details = Get-AzResource | ?{ $_.Name -eq $res_name}
$rg_name = $res_details.resourcegroupname
$rg_name
#Command to get the resource name, this can be used to confirm if we are able to list the details, or validate the permission. I am using this for storage account in this guide, you can use relevant commands based on your scenario.
$rname = Get-AzStorageAccount -StorageAccountName $res_name -ResourceGroupName $rg_name
#Command to get the key. Using [0] to get the primary key out of the two keys.
$skey = (Get-AzStorageAccountKey -ResourceGroupName $rg_Name -Name $res_name)[0].Value
#Using concat to get the desired value
'DefaultEndpointsProtocol=https;AccountName=' + $res_name + ';AccountKey=' + $sKey + ';EndpointSuffix=core.windows.net'
The Tech Guy 