azureansibleazure-cliazure-service-principal

Login into Azure cli for a service principal

I'm trying to get my ansible script to get logged into azure via azure cli. For some reasons, I'm not allowed to use the ansible azure package. I have to use the shell and call directly the commands from there.

I'm fairly new with azure in general, so all this tenants, service principals and such are still concepts that I don't fully grasp.

I've been checking official the documentation. I've created an app registration for it (Named ansible_test). I get all I need, including the secret. and then I call the the commands as this:

az login --service-principal -u $AZURE_SERVICE_PRINCIPAL_NAME -p $AZURE_SECRET --tenant $AZURE_TENANT

where:

$AZURE_SERVICE_PRINCIPAL_NAME = ansible_test
$AZURE_SECRET = ${The one that I've defined via Certificates & secrets section in the app registration}
$AZURE_TENANT = ${The azure tenant that I find in the app registration}

I'm getting the error:

Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'ansible_test' was not found in the directory '${AZURE_TENANT}(Blurred because I'm not sure this is something secret or not)'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

As I understand, I got the wrong tenant. But I'm getting the exact one that I'm getting from the app registration. I've been hitting my head against this wall for some time. I've tried many other things, but it doesn't seem to work.

In this image, I'm trying to show that I've indeed created the app registration (What I'm understanding that it's a service principal). I've blurred the ids just out of ignorance whether they are private or not.

Overview of the app registration that I've created called ansible_test

What is that I'm doing wrong? I can't really understand the origin of the error...

Solution

  • The username for a service principal is its Application (client) ID, so you need to use that instead of the app name.

    It uses client credentials flow under the covers to get tokens which requires the client id, tenant id + client secret/client certificate to authenticate.