Azure Stack authentication based on Service rather then User

[Bryksin]

Hello

We are using Azure Stack and we would like to authenticate through service rather than a specific user with password.

In Read The Docs page showed an example of authentication only through user credentials, but no service.

We still attempted to do so, by creating application in Azure Cloud Admin portal (as AD -> App Registration option exists only in Cloud Panel, not in Azure Stack Panel) We grant to the application all permissions to the Azure Stack trough portal and used ServicePrincipalCredentials class instead of UserPassCredentials

When we authorisation trough App - a credential object is successfully created with valid tokens and so on, however, it cant see anything, no subscriptions, no resource groups, no nothing. If we authorise trough user personal credentials then everything works fine.

Code snippet:

CLIENT_USERNAME = "<user>@<domain>.onmicrosoft.com"
CLIENT_PASSWORD = "<pass>"

applicationId = "<cba4f82f-6f83-48c5-blah-blah-blah>"
app_key = "<cXW/IH88+iiouB8d3EBlahBlahBlah>="
tenant_id = "<fbe03d47-17ee-48ad-blah-blah-blah>"
base_url = "https://management.local.azurestack.external"

# Getting Endpoints metadata
azure_stack_metadata = get_cloud_from_metadata_endpoint(base_url)
print "Azure Stack Metadata:"
print azure_stack_metadata

print "\n"
print "Getting Credentials"
# Doesnt work trough Service
credentials = ServicePrincipalCredentials(client_id=applicationId, secret=app_key, tenant=tenant_id,
                                          cloud_environment=azure_stack_metadata)

# It works trough user
# credentials = UserPassCredentials(CLIENT_USERNAME, CLIENT_PASSWORD, cloud_environment=azure_stack_metadata)
print "Credentials retrieved: "
print credentials
print "\n"

print "Getting Subscriptions"
sc = SubscriptionClient(credentials, base_url=azure_stack_metadata.endpoints.management)
for s in sc.subscriptions.list():
    subscription_id = str(s.subscription_id)
    print "Subscription ID: " + subscription_id
    print "Getting Resource group client"
    resource_client = ResourceManagementClient(credentials, subscription_id,
                                               base_url=azure_stack_metadata.endpoints.management)
    print "Listing Resource groups"
    for rsg in resource_client.resource_groups.list():
        print rsg
print "DONE"

Is there any way to authenticate through service with Azure Stack or only specific user credentials supported at this time?

Best Regards

[lmazuel]

@bganapa any recommendations here?

[bganapa]

@Briksins It should have worked, though I have not tried with Python SDK+Service Principal before. I will get back to you.

[Bryksin]

Ok got it working, it was our fault, the ticket can be closed

The problem was in the setup of the admin panel. Basically here is an instruction:

• Go to Azure Cloud portal
• Create an App in AD -> Register App
• Grant Permissions to "Azure Stack" (Note: Azure Stack permissions are not listed, you have to specifically search it - not user-friendly to be honest)
• Create a Secret Key for an App
• Go to Azure Stack portal
• Go to your Resource group and select required (or do for all of them)
• in the selected resource group AMI permissions (where you have all users from AD) specifically search for your App name
• Add it as an owner of RG

So our problem was that we didn't grant in Azure Stack AMI permission to the App to manage resource group.