Service Principal 介绍

以下文本知识均参考自互联网，如有错漏之处，欢迎指出.

Service Principal is an application within Azure Active Directory, which is authorized to access resources in Azure. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.

Service Principal 是Azure Active Directory中的一个应用程序，它被授权访问Azure中的资源。此访问受到分配给服务主体的角色的限制，从而使您能够控制哪些资源可以访问以及在哪个级别上访问。

Serverless360 uses the authentication tokens of the Service Principal to manage the resources, this is achieved by associating the Azure Service Principal with necessary permissions.

Serverless360 使用 Service Principal 的身份验证令牌来管理资源，这是通过将Azure服务主体与必要的权限相关联来实现的。

 

These permissions are restricted to exactly what Serverless360 can do.

The necessary activities to perform such restrictions include:

• Create a Service Principal.
• Authorize and Assign a role to the Service Principal.

To associate a Service Principal with Serverless360, the following values are required:

• Tenant Id - Azure Active Directory Id.
• Subscription Id - The Subscription Id of the Azure Subscription in which the resource exists.
• Client Id - Id of the Service Principal object / App registered with the Active Directory.
• Client Secret - Application password.

These values can be collected from the Azure portal in the following way.

Create a Service Principal

To create a service principal, perform the following steps:

Step 1: Navigate to the Azure Active Directory tab in the left side menu in the Azure portal and click App registrations.

Step 2: Click on the New registration button.

Step 3: Provide a Name for the Service Principal. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application that needs to be created. Enter the URI to which the access token is sent. Click on the Register button.

Step 4: Once the Service Principal is created successfully, it will be listed in the App Registration grid.

 

 

 

Azure Tenant ID

In Azure Active Directory (Azure AD), a tenant is a representative of an organization.

It is a dedicated instance of the Azure AD service that an organization receives and owns when it creates by signing up for a Microsoft Azure account.

Each Azure AD tenant is distinct and separate from other Azure AD tenants.

In order to obtain the Tenant ID, perform the following steps:

Step 1: Click on the name of the Service Principal.

Step 2: The required Tenant Id is the Directory (tenant) ID from the Essentials section.

Get Subscription ID

A Subscription ID is a GUID that uniquely identifies a Subscription.

In order to obtain the Subscription ID, perform the following steps:

Step 1: Navigate to the Subscriptions tab in the left-side menu.

Step 2: All the subscriptions will be listed in a grid. Copy the Subscription Id (where all the desired resources are present) from the Subscription ID column.

 

 

Client ID and Client Secret

A Client ID is a 16-character string that represents the application.

Follow the below steps to obtain the Client ID:

Step 1: Click on the name of the Service Principal.

Step 2: The required Client Id is the Application (client) ID from the Essentials section.

 

Secret key is a security key that Windows Live ID uses to encrypt and sign all tokens. It is used by the application to prove its identity when requesting a token.

To obtain the Client Secret, follow the below steps:

Step 1: Click on Certificates & secrets under the Manage section from the left pane.

Step 2: Click on New client secret, provide the Description and Expiry time, and click Add.

Step 3: Once saved, it will show the Client Secret. This Key will only be shown once. This value should be copied and saved.

 

Authorize Service Principal and Role Assignment

To access the resources in a subscription, the application must be assigned to a role. The right permissions for each role are defined based on different use cases. The scope of the application can be set at the level of the subscription, resource group, or resource.

Permissions are inherited to lower levels of scope. For example, if an application has the Contributor / Owner role for a resource group, it can access the resource group and any resources it contains.

要访问订阅中的资源，必须将应用程序分配给角色。每个角色的权限是根据不同的用例定义的。可以在订阅、资源组或资源级别设置应用程序的范围。

权限继承到较低级别的作用域。例如，如果应用程序具有资源组的参与者/所有者角色，则它可以访问资源组及其包含的任何资源。

To authorize the service principal to access a Subscription:

Step 1: Navigate to that Subscription. Click on Access control (IAM).

Step 2: Click on Add role assignment. A blade will appear on the right side.

Step 3: In the Role drop-down, there will be pre-defined roles scoped to specific resource types/resources with different permissions like Reader, Manager, etc.

Step 4: Select Contributor from the drop-down. In the next input select the security principal (User, group, or service principal) . In the next input provide the Name of the service principal. It will list the service principals and users for the given name. More than one Service Principal/User can be selected. Select the desired Service Principal’s name and click Save.

 

It may take some time for the above configurations to take effect.

Why does Serverless360 need Contributor access for the Service Principal?

Serverless360 has got capabilities to manage and monitor Azure resources. We need to access the resources in their subscription and perform operations on them. The required permission to achieve these capabilities is Contributor access. With this access, it can access the resource group and any resources it contains.

If the contributor access is not given, the users can only view the resources that are listed in Serverless360 but cannot perform any operations or monitor them.

Serverless360具有管理和监视Azure资源的功能。我们需要访问其订阅中的资源并对其执行操作。实现这些功能所需的权限是参与者访问权限。通过此访问，它可以访问资源组及其包含的任何资源。

如果未授予贡献者访问权限，则用户只能查看Serverless360中列出的资源，但不能执行任何操作或监视它们。

Please refer to this Microsoft documentation

Now the created Service Principal can be associated with Serverless360.