The Login-AzureRmAccount PowerShell command allows you to login to your Azure account from PowerShell. However, it brings up a prompt and you have to manually type in your credentials. Obviously this is fine for development or things you are doing for one time administration. But in order to have fully automated scripts, this is one of the first pieces in the puzzle, especially when you are likely to be running these on a build server and you don’t want an account that is tied to an acual person.
You certainly don’t want to have your personal signin credentials in the script. You need a service account that has just enough permissions to run the scripts that are being run.
This is accomplished with service principal which is an instance of an application on your Active Directory which you grant access to resourcess.
$displayName = "App Display Name" $homePage = "http://YourApplicationHomePage" $identifierUris = "http://YourApplicationUri" $password = "APasswordHere" $app = New-AzureRmADApplication –DisplayName $displayName –HomePage $homePage –IdentifierUris $identifierUris –Password $password
Now we need to create a service principal for that application which needs to access resources. This takes the applicationId of the application we created above.
New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId
You can view a list of the default roles here: https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/
New-AzureRmRoleAssignment –RoleDefinitionName Contributor –ServicePrincipalName $app.ApplicationId
$username = "YourUserName" $pass = ConvertTo-SecureString "YourPassword" -AsPlainText –Force $cred = New-Object -TypeName pscredential –ArgumentList $username, $pass
$tenant = (Get-AzureRmSubscription).TenantId
Login-AzureRmAccount -Credential $cred -ServicePrincipal –TenantId $tenant
You can save the profile as a token and login with that token later. This however does expire, and typically lasts around 12 hours.
Save-AzureRmProfile -Path c:\AzureLoginToken.json
Select-AzureRmProfile -Path c:\AzureLoginToken.json
This will look mostly familiar to the above, except we first must generate the certificate that we are going to use and then create the AD Application with that certificate.
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=exampleapp" -KeySpec KeyExchange $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$azureAdApplication = New-AzureRmADApplication -DisplayName "exampleapp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.contoso.org/example" -KeyValue $keyValue -KeyType AsymmetricX509Cert -EndDate $cert.NotAfter -StartDate $cert.NotBefore
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId.Guid
$applicationId = $azureAdApplication.ApplicationId # Alternatively # $applicationId = (Get-AzureRmADApplication -IdentifierUri "https://www.yourappURL.com").ApplicationId
$thumbprint = $cert.Thumbprint # Alternatively # $thumbprint = (Get-ChildItem -Path cert:\CurrentUser\My\* -DnsName exampleapp).Thumbprint
$tenantId = (Get-AzureRmSubscription).TenantId
This script is the login script that you will use, it contains the thumbprint, applicationId and tenantId needed to login as the newly created Service Principal.
$loginCommand = "Add-AzureRmAccount -ServicePrincipal -CertificateThumbprint $thumbprint -ApplicationId $applicationId -TenantId $tenantId" Add-Content 'c:\login.ps1' $loginCommand
Hopefully that has given you a few options and taken you through how to login non-interactively into Azure.
Script examples are on GitHub here.
I'm a .NET Software Engineer that is currently working at SafeToNet. Opinions are my own.
Nant (1) Load testing (1) Visual studio (1) Azure (24) Aws (1) Asp.net (1) Tfs (1) Puppetlabs reports (2) Devops (2) Iis (1) Powershell (6) Arm templates (2) Arm template (1) Azure (5) Powershell (1) Dsc (1) Arm (1) Jekyll (1) Vsts (1)