Using Service Principals for Bicep deployments

7 mins read

Think of a scenario with a pipeline that deploys your infrastructure to three environments — development, test, and production. Learn how to enable the proper access for Bicep deployments.

Using Service Principals for Bicep deployments

Why should you care about using Service Principals?

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.

You can restrict access by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.

Think of a scenario where you have a pipeline that deploys your infrastructure to three environments — development, test, and production. Each environment is in a dedicated resource group, in three different subscriptions.

In this case, you could create a single service principal and grant it access to each resource group in the three subscriptions.

A better solution would be to separate production and non-production environments using multiple Service Principals. However, the ideal solution would be to have a dedicated Service Principal per environment.

Having three Service Principals, one per environment, you can better control which resources can be accessed and at which level.

After a Service Principal’s key has expired, clients can’t use the key to authenticate. You need to issue a new key.

You can refer to this article to create a Service Principal using the Azure Portal.

Now let’s see how you can use a Service Principal to deploy Bicep files.

Pre-requisites:

An active Azure subscriptionAzure PowerShell installedAzure Bicep installedA Service Principal (including these values: Application Client ID, Directory Tenant ID, Secret)

What we will do:

Sign in as your own user account.Create a resource groupAssign a role to the Service PrincipalCreate a Bicep fileUse the Service Principal to deploy the Bicep file that creates a WordPress website.

1. Sign in to your own user account.

You can leverage the command below to sign in:

Connect-AzAccount -Tenant ‘XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX’ -SubscriptionId ‘XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’

Not we specify the Tenant and the Subscription ID.

2. Create a resource group

Now we will create a resource group using the command below:

New-AzResourceGroup -Name ifabrik -Location eastus

3. Assign a role to a Service Principal

To assign a role to a Service Principal, your own user account needs the User Access Administrator role assignment.

To create the role assignment, you can use the command below:

New-AzRoleAssignment `
-ApplicationId APPLICATION_ID `
-RoleDefinitionName Contributor `
-Scope RESOURCE_GROUP_ID `

If you prefer to use the Azure Portal, you can go to the resource group, then select ‘Access Control (IAM)’, click on ‘Add’ / ‘Add Role Assignment’ and then provide select the Service Principal as shown in the below image:

4. Bicep file — WordPress

We will use the Bicep code below that creates a WordPress site with MySQL in App. Grab the code below and save it as ‘main.bicep’ in your local machine.

param sku string = ‘F1’
param repoUrl string = ‘https://github.com/azureappserviceoss/wordpress-azure’
param branch string = ‘master’
param location string = resourceGroup().location

var hostingPlanName_var = ‘${uniqueString(resourceGroup().id)}hostingplan’
var siteName_var = ‘${uniqueString(resourceGroup().id)}website’

resource hostingPlanName ‘Microsoft.Web/serverfarms@2020-06-01’ = {
sku: {
name: sku
capacity: 1
}
name: hostingPlanName_var
location: location
properties: {}
}

resource siteName ‘Microsoft.Web/sites@2020-06-01’ = {
name: siteName_var
location: location
properties: {
serverFarmId: hostingPlanName.id
siteConfig: {
localMySqlEnabled: true
appSettings: [
{
name: ‘WEBSITE_MYSQL_ENABLED’
value: ‘1’
}
{
name: ‘WEBSITE_MYSQL_GENERAL_LOG’
value: ‘0’
}
{
name: ‘WEBSITE_MYSQL_SLOW_QUERY_LOG’
value: ‘0’
}
{
name: ‘WEBSITE_MYSQL_ARGUMENTS’
value: ‘–max_allowed_packet=16M’
}
]
}
}
}

resource siteName_web ‘Microsoft.Web/sites/sourcecontrols@2020-06-01’ = {
parent: siteName
name: ‘web’
properties: {
repoUrl: repoUrl
branch: branch
isManualIntegration: true
}
}

resource Microsoft_Web_sites_config_siteName_web ‘Microsoft.Web/sites/config@2020-06-01’ = {
parent: siteName
name: ‘web’
properties: {
phpVersion: ‘7.0’
}
}

Next, we will proceed to deploy the Bicep file.

5. Deploy Bicep file using the user-assigned managed identity.

First, we will use the command below to prompt you for the service principal’s credentials securely.

$credential = Get-Credential

You will be prompted to provide the User and Password:

User: This will be the Application IDPassword: This will be the actual value of the secret id.

You can obtain this information from the Azure Portal, in the Active Directory page, then select App registrations and look for your Service Principal, then select the ‘Certificates and Secrets’ tab. You can create a new Client secret if needed.

Then, we will run the command below to sign in using the Service Principal credentials. Replace the TENANT_ID with the value of your own Tenant ID.

Connect-AzAccount -ServicePrincipal `
-Credential $credential `
-Tenant TENANT_ID

The image below shows the output from the above command:

Now, we will deploy the WordPress site using the command below:

$date = Get-Date -Format “MM-dd-yyyy”
$deploymentName = “AzInsiderDeployment”+”$date”New-AzResourceGroupDeployment -Name $deploymentName -ResourceGroupName AzInsiderBicep -TemplateFile .main.bicep

The image below shows the output from the deployment operation:

Bicep deployment operation output

As you can see, using Service Principals is straightforward, and you can integrate them with Azure DevOps to control access to environments where you are deploying your Bicep files.

Join the AzInsider email list here.

-Dave R.

💪Using Service Principals for Bicep deployments was originally published in CodeX on Medium, where people are continuing the conversation by highlighting and responding to this story.

Leave a Reply

Your email address will not be published.

Follow Us