From 86d86a685c41e037561739913ce14dec7b2c0d78 Mon Sep 17 00:00:00 2001 From: Asir Vedamuthu Selvasingh Date: Tue, 20 Dec 2016 13:18:35 -0800 Subject: [PATCH] Revert "Use latest simple command to create auth file" --- AUTH.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/AUTH.md b/AUTH.md index 218d84ab0b370..05f5eab424e68 100644 --- a/AUTH.md +++ b/AUTH.md @@ -48,13 +48,19 @@ If you save such service principal-based credentials as a file, or store them in You can easily create a service principal and grant it access privileges for a given subscription through Azure CLI 2.0. -1. Install Azure CLI (>=0.1.0b11) by following the [README](https://github.com/Azure/azure-cli/blob/master/README.rst). -1. Install `jq` (>=1.5) by following the instructions here: https://stedolan.github.io/jq/download/. -1. Login as a user by running command `az login`. If you are not in Azure public cloud, use `az context create` command to switch to your cloud before login. -1. Select the subscription you want your service principal to have access to by running `az account set --subscription `. You can view your subscriptions by `az account list --out jsonc`. -1. Run the following command to create a service principal authentication file. -``` -az ad sp create-for-rbac --expanded-view -o json --query "{subscription: subscriptionId, client: client, key: password, tenant: tenantId, managementURI: endpoints.management, baseURL: endpoints.resourceManager, authURL: endpoints.activeDirectory, graphURL: endpoints.activeDirectoryGraphResourceId}" | jq -r "to_entries|map(\"\(.key)=\(.value|sub(\"https:(?.+[^/])/?$\";\"https\\\\:\(.x)/\"))\")|.[]" -``` +1. Create a new blank text file with the format described in section [Using an authentication file](#using-an-authentication-file). +1. Install Azure CLI by following the [README](https://github.com/Azure/azure-cli/blob/master/README.rst). +1. Login by running command `az login`. +1. Select the subscription you want your service principal to have access to by running `az account set `. You can view your subscriptions by `az account list --out jsonc`. Copy the subscription id into `subscription` field in the file. +1. Create a service principal by `az ad sp create-for-rbac`. Copy the **client_id** value into `client` field in the file, and **client_secret** value into `key` field. +1. Assign a role to the service principal. You can find the command to execute in the "Assign a role" section from the output of the previous command. It should look like `az role assignment create --assignee --role Contributor`. The role can be "Owner", "Contributer", "Reader", etc. For more information about roles in Azure, please refer to https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-what-is/. +1. Put your email domain into the `tenant` field, e.g., contoso.com. +1. Assuming you are using the Azure worldwide public cloud, also add the following to your text file: \(Note that this file follows the Java properties file format, so certain characters, such as colons, need to be escaped with a backslash\)
+ `managementURI=https\://management.core.windows.net/`
+ `baseURL=https\://management.azure.com/`
+ `authURL=https\://login.windows.net/`
+ `graphURL=https\://graph.windows.net/`
+ For other environments, please refer to [AzureEnvironment.java](https://github.com/Azure/autorest-clientruntime-for-java/blob/v1.0.0-beta3/azure-client-runtime/src/main/java/com/microsoft/azure/AzureEnvironment.java) for their corresponding values. Now all the pieces are in place to enable authenticating your code without requiring an interactive login nor the need to manage access tokens. +