A service principal with Contributor, Private DNS Zone Contributor and Network Contributor rights needs to be generated for authentication and authorization from GitHub or Azure DevOps to your Azure subscription. This is required to deploy resources to your environment.
Note: The number of role assignments can be further reduced in a production scenario. The Private DNS Zone Contributor is not required if the deployment of DNS A-records of the Private Endpoints is automated through Azure Policies with
deployIfNotExists
effect.
First, go to the Azure Portal to find the ID of your subscription. Then start the Cloud Shell or Azure CLI, login to Azure, set the Azure context and execute the following commands to generate the required credentials:
Azure CLI:
# Replace {service-principal-name} and {subscription-id} with your
# Azure subscription id and any name for your service principal.
az ad sp create-for-rbac \
--name "{service-principal-name}" \
--role "Contributor" \
--scopes "/subscriptions/{subscription-id}" \
--sdk-auth
This will generate the following JSON output:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
Note: Take note of the output. It will be required for the next steps.
Azure PowerShell:
# Ensure you are in the right subscription
Set-AzContext -Subscription "{SubscriptionId or SubscriptionName}"
# Create service principal
$sp = New-AzADServicePrincipal -DisplayName {name}
$sp.PasswordCredentials.SecretText
The returned object contains the generated password. Make sure that you store this value somewhere secure to authenticate with the service principal.
Note: Beginning with Az PowerShell module version 7.x,
New-AzADServicePrincipal
no longer assigns the Contributor role to the service principal by default. Follow steps below to grant it theContributor
role.
For automation purposes, more role assignments are required for the service principal. Additional required role assignments include:
Role Name | Description | Scope |
---|---|---|
Private DNS Zone Contributor | We expect you to deploy all Private DNS Zones for all data services into a single subscription and resource group. Therefor, the service principal needs to be Private DNS Zone Contributor on the global dns resource group which was created during the Data Management Landing Zone deployment. This is required to deploy A-records for the respective private endpoints. | (Resource Group Scope) /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName} |
Network Contributor | In order to deploy Private Endpoints to the specified privatelink-subnet which was created during the Data Landing Zone deployment, the service principal requires Network Contributor access on that specific subnet. | (Child-Resource Scope) /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName} /providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}" |
To add these role assignments, you can use the Azure Portal or run the following commands using Azure CLI/Azure Powershell:
Azure CLI - Add role assignments:
# Get Service Principal Object ID
az ad sp list --display-name "{servicePrincipalName}" --query "[].{objectId:objectId}" --output tsv
# Add role assignment
# Resource Scope level assignment
az role assignment create \
--assignee "{servicePrincipalObjectId}" \
--role "{roleName}" \
--scopes "{scope}"
# Resource group scope level assignment
az role assignment create \
--assignee "{servicePrincipalObjectId}" \
--role "{roleName}" \
--resource-group "{resourceGroupName}"
Azure Powershell - Add role assignments:
# Get Service Principal Object ID
$spObjectId = (Get-AzADServicePrincipal -DisplayName "{servicePrincipalName}").id
# Add role assignment
# For Resource Scope level assignment
New-AzRoleAssignment `
-ObjectId $spObjectId `
-RoleDefinitionName "{roleName}" `
-Scope "{scope}"
# For Resource group scope level assignment
New-AzRoleAssignment `
-ObjectId $spObjectId `
-RoleDefinitionName "{roleName}" `
-ResourceGroupName "{resourceGroupName}"
# For Child-Resource Scope level assignment
New-AzRoleAssignment `
-ObjectId $spObjectId `
-RoleDefinitionName "{roleName}" `
-ResourceName "{resourceName}" `
-ResourceType "{resourceType (e.g. 'Microsoft.Network/virtualNetworks/subnets')}" `
-ParentResource "{parentResource (e.g. 'virtualNetworks/{virtualNetworkName}')" `
-ResourceGroupName "{resourceGroupName}
Previous Next (Option (a) GitHub Actions) Next (Option (b) Azure DevOps)