-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy path1-create-service-principal.sh
85 lines (71 loc) · 3.12 KB
/
1-create-service-principal.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/bin/bash
#
# Create a bunch of random passwords
#
mkdir .passwords
export sql_password="$(openssl rand 14 -base64)"
echo "${sql_password}" > ".passwords/.${rg_name}-${prefix}-sql_password"
export sql_password="$(cat .passwords/.${rg_name}-${prefix}-sql_password)"
# export service_principal_pass="${AAD_CLIENT_ID}"
export service_principal_pass="$(openssl rand 14 -base64)"
echo "${service_principal_pass}" > ".passwords/.${rg_name}-${prefix}-service_principal_pass"
export service_principal_pass="$(cat .passwords/.${rg_name}-${prefix}-service_principal_pass)"
export aadGraphAPI="00000002-0000-0000-c000-000000000000"
graphJSON="$(az ad sp show --id ${aadGraphAPI})"
oauth_id() {
echo "$(echo ${graphJSON} | jq -r ".oauth2Permissions[] | select(.value == \"${1}\") | .id")"
}
MANIFEST="[ {
\"resourceAppId\": \"$(echo ${graphJSON} | jq -r .appId)\",
\"resourceAccess\": [
{ \"id\": \"$(oauth_id User.Read)\", \"type\": \"Scope\" }
]
} ]"
echo "${MANIFEST}" > manifest.json
#export service_principal_application_id="${AAD_CLIENT_ID}"
export service_principal_application_id="$(az ad app create \
--display-name "${prefix} demo principal" \
--oauth2-allow-implicit-flow true \
--credential-description "OpenSSL-generated password" \
--key-type Symmetric \
--key-value "${service_principal_pass}" \
--homepage "http://${AAD_TENANT_ID}/${prefix}" \
--identifier-uris \
"http://${AAD_TENANT_ID}/${prefix}" \
--reply-urls \
"http://localhost:8080/login/oauth2/code/azure" \
"http://${public_web_app_hostname}:8080/login/oauth2/code/azure" \
--required-resource-accesses @manifest.json \
--query "appId" -o tsv)"
echo "Application ID: ${service_principal_application_id}"
echo "${service_principal_application_id}" > ".passwords/.${rg_name}-${prefix}-service_principal_application_id"
export service_principal_application_id="$(cat .passwords/.${rg_name}-${prefix}-service_principal_application_id)"
rm manifest.json
#
# Turn on "signInAudience": "AzureADMultipleOrgs"
#
az ad app update \
--id "${service_principal_application_id}" \
--available-to-other-tenants true
#
# Convert the existing app into a service principal, so we can authorize it to call into KeyVault
#
az ad sp create --id "${service_principal_application_id}"
#
# Fetch the SP's objectID
#
export service_principal_object_id="$(az ad sp show --id "${service_principal_application_id}" --query "objectId" -o tsv)"
echo "${service_principal_object_id}" > ".passwords/.${rg_name}-${prefix}-service_principal_object_id"
export service_principal_object_id="$(cat .passwords/.${rg_name}-${prefix}-service_principal_object_id)"
# az ad app update \
# --id "${service_principal_application_id}" \
# --reply-urls \
# "http://${public_web_app_hostname}:8080/login/oauth2/code/azure" \
# "http://localhost:8080/login/oauth2/code/azure"
# az ad app permission add \
# --id "${service_principal_application_id}" \
# --api "${aadGraphAPI}" \
# --api-permissions "$(oauth_id User.Read)=Scope"
az ad app permission grant \
--id "${service_principal_application_id}" \
--api "${aadGraphAPI}"