The Login-AzureRmAccount PowerShell command allows you to login to your Azure account from PowerShell. However, it brings up a prompt and you have to manually type in your credentials. Obviously this is fine for development or things you are doing for one time administration. But in order to have fully automated scripts, this is one of the first pieces in the puzzle, especially when you are likely to be running these on a build server and you don’t want an account that is tied to an acual person.
Creating a service principal
You certainly don’t want to have your personal signin credentials in the script. You need a service account that has just enough permissions to run the scripts that are being run.
This is accomplished with service principal which is an instance of an application on your Active Directory which you grant access to resourcess.
1. Login to your Azure account with:
Login-AzureRmAccount2. Then we need to create an Active Directory application.
$displayName = "App Display Name"
$homePage = "http://YourApplicationHomePage"
$identifierUris = "http://YourApplicationUri"
$password = "APasswordHere"
$app = New-AzureRmADApplication –DisplayName $displayName –HomePage $homePage –IdentifierUris $identifierUris –Password $password3. Create the Service Principal
Now we need to create a service principal for that application which needs to access resources. This takes the applicationId of the application we created above.
New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId4. Grant the Service Principal roles
You can view a list of the default roles here: https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/
New-AzureRmRoleAssignment –RoleDefinitionName Contributor –ServicePrincipalName $app.ApplicationIdAuthenticating using a service principal
1. Create a PSCredential object
$username = "YourUserName"
$pass = ConvertTo-SecureString "YourPassword" -AsPlainText –Force
$cred = New-Object -TypeName pscredential –ArgumentList $username, $pass2. Get the TenantId from your subscription
$tenant = (Get-AzureRmSubscription).TenantIdLogin with the credential object
Login-AzureRmAccount -Credential $cred -ServicePrincipal –TenantId $tenantSave Token to login later
You can save the profile as a token and login with that token later. This however does expire, and typically lasts around 12 hours.
Save-AzureRmProfile -Path c:\AzureLoginToken.jsonNext time you want to login, just load the Profile
Select-AzureRmProfile -Path c:\AzureLoginToken.jsonAuthenticating using a service principal and certificate
This will look mostly familiar to the above, except we first must generate the certificate that we are going to use and then create the AD Application with that certificate.
1. Login to Azure
Login-AzureRmAccount2. Create certificate
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=exampleapp" -KeySpec KeyExchange
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())3. Create AD Application
$azureAdApplication = New-AzureRmADApplication -DisplayName "exampleapp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.contoso.org/example" -KeyValue $keyValue -KeyType AsymmetricX509Cert -EndDate $cert.NotAfter -StartDate $cert.NotBefore 4. Create Service Principal
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId5. Assign roles to Service Principal
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId.GuidCreate Login script for certificate
1. Get Application Id
$applicationId = $azureAdApplication.ApplicationId
# Alternatively
# $applicationId = (Get-AzureRmADApplication -IdentifierUri "https://www.yourappURL.com").ApplicationId2. Get thumbprint of the certificate
$thumbprint = $cert.Thumbprint
# Alternatively
# $thumbprint = (Get-ChildItem -Path cert:\CurrentUser\My\* -DnsName exampleapp).Thumbprint3. Get the tenant
$tenantId = (Get-AzureRmSubscription).TenantId4. Save file called login.ps1
This script is the login script that you will use, it contains the thumbprint, applicationId and tenantId needed to login as the newly created Service Principal.
$loginCommand = "Add-AzureRmAccount -ServicePrincipal -CertificateThumbprint $thumbprint -ApplicationId $applicationId -TenantId $tenantId"
Add-Content 'c:\login.ps1' $loginCommandWrap up
Hopefully that has given you a few options and taken you through how to login non-interactively into Azure.
Script examples are on GitHub here.
