Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support az ad {app,sp} create #631

Closed
colemickens opened this issue Aug 5, 2016 · 11 comments
Closed

Support az ad {app,sp} create #631

colemickens opened this issue Aug 5, 2016 · 11 comments
Assignees
@yugangw-msft
Labels
Auth
Milestone
Sprint 1

Comments

@colemickens
Copy link
Contributor

Only delete, show and list are available.
@colemickens
Copy link
Contributor Author

Given the poor discoverability and the constant confusion that users have regarding AzureAD, ServiceAccount (aka ServicePrincipals) and "Apps", it important that the CLI tooling can be scripted to create these things on users' behalves.

@yugangw-msft
Copy link
Contributor

@colemickens if you create them just want to assign role for rbac, you can use account create-sp.
the whole 'az ad' command set will be finalized in near future.

@colemickens
Copy link
Contributor Author

Hm, that sounds helpful, but I don't really understand the distinction.

What does az ad app create followed by az ad sp create do that az account create-sp doesn't do?

CC @ahmetalpbalkan for usability feedback given that we both need to make this process easy for our users.

@ahmetb
Copy link
Contributor

ahmetb commented Aug 5, 2016
edited
Loading

I agree, we need one and clean way of creating SPs. Look at this 3rd party doc explaining creating AAD SP accounts. It is nothing but confusion* . I very much appreciate if this experience could be unified with one well-known command (preferably az ad sp create).

*: what's an app?, what is homepage uri?, why is username actually client_id?, why am I providing a password? why is password a client_secret? why am I calling all these cmds? why is sp id same as app id?

@mayurid mayurid added the Account az login/account label Aug 5, 2016
@mayurid mayurid added this to the Sprint 1 milestone Aug 5, 2016
@yugangw-msft
Copy link
Contributor

yugangw-msft commented Aug 5, 2016
edited
Loading

Some context, before address your concerns

  1. We will have ad [sp|app] create to create general purpose entities. Also per discussion with graph team we will have finer support for credential management and finer updating individual property.
  2. application and service principal are not just for azure management at command line, it is used much for server applications (mostly web site) which leverage existing identity provider, like Azure AD, to delegate authentication duties.

Because of #2, several concepts such as "redirecturi", "homepage" were exposed from commands which are hard to understand and useless for people which just want to manage azure in azure-cli. So simplification like the create-sp has been very well accepted.
Once #1 is done, we will likely rename and position create-sp to new places be closer to the majority. But for the sake of regular azure-cli users, we will keep this specific custom command to greatly relieve the learning pain to on-board RBAC

@colemickens
Copy link
Contributor Author

colemickens commented Aug 5, 2016
edited by yugangw-msft
Loading

This sounds great! I love how simple this is:

$ az account create-sp

Service principal has been configured with name: 'http://azure-cli-2016-08-05-14-31-15', secret: '[redacted]'
Useful commands to manage azure:
  Assign a role: "az role assignment create --assignee af73d34f-7cde-4c73-a4d5-redact --role Contributor"
  Log in: "az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p [redacted] --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47"
  Reset credentials: "az account reset-sp-credentials --name http://azure-cli-2016-08-05-14-31-15"

And I can override the name, duration and password (client_secret). Excellent!

@yugangw-msft
Copy link
Contributor

So I am submitting #664 which should address all I mentioned early on

  1. I am moving the convenience command to ad sp create-for-rbac . There is also a new create command which is for general purpose.
  2. create-for-rbac will emit out 2 more command snippets for you to revoke the service principals if you are done with it.
  3. For app show/delete and sp show/delete, i simplify them by exposing a common parameter of --id , which should work with both object id and logical name.

@colemickens
Copy link
Contributor Author

That sounds great as well. Only other thing might be letting me do the RBAC assignment in the ad sp create-for-rbac command that will use the special Graph header to ensure I don't have to loop-retry in my own script.

I can file a separate issue for that though?

@yugangw-msft
Copy link
Contributor

Please file a separate issue. Sort of hack, but we can have sp create-for-rbac capture the ocp-aad-session-key, and expose ocp-aad-session-key from the role assignment create

@colemickens colemickens mentioned this issue Aug 8, 2016
Closed
@colemickens
Copy link
Contributor Author

I filed: #667

I'll close this, if you don't, when your PR goes in.

Thanks @yugangw-msft, I think these are going to be popular.

@yugangw-msft
Copy link
Contributor

#664 is merged.
@brunoterkaly and @JasonRShaver, please note, account create-sp has been moved to ad sp create-for-rbac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yugangw-msft yugangw-msft

Labels
Auth
Projects
None yet
Milestone
Sprint 1
Development

No branches or pull requests
5 participants
@ahmetb @colemickens @mayurid @yugangw-msft @haroldrandom