Service Principal

To securely automate Terraform deployments in Azure, use a Service Principal with the minimum required permissions. This script creates a Service Principal with Contributor and User Access Administrator roles at the subscription scope—suitable for most DevOps CI/CD scenarios (e.g., GitHub Actions, Azure Pipelines).


Bash Script: Create Service Principal for Terraform

#!/usr/bin/env bash
set -euo pipefail

# Set your Azure subscription context
SUBSCRIPTION_ID=$(az account show --query id -o tsv)
SP_NAME="firstContainerAppGitHubAction"

# Create the Service Principal with Contributor role
az ad sp create-for-rbac \
  --name "$SP_NAME" \
  --role "Contributor" \
  --scopes "/subscriptions/$SUBSCRIPTION_ID" \
  --sdk-auth \
  --output json

# Assign User Access Administrator role (optional, for RBAC management)
servicePrincipalAppId=$(az ad sp list --display-name "$SP_NAME" --query "[].appId" -o tsv)
az role assignment create \
  --assignee "$servicePrincipalAppId" \
  --role "User Access Administrator" \
  --scopes "/subscriptions/$SUBSCRIPTION_ID"

Output:

{
  "clientId": "XXXXXX",
  "clientSecret": "XXXXXX",
  "subscriptionId": "XXXXXX",
  "tenantId": "XXXXXX",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

Usage in Terraform and CI/CD

  • Store the output values (clientId, clientSecret, subscriptionId, tenantId) as environment variables or in your CI/CD secret manager (e.g., GitHub Actions, Azure DevOps).

  • Reference these in your Terraform provider block:

provider "azurerm" {
  features {}
  client_id       = var.client_id
  client_secret   = var.client_secret
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
}

Best Practices

  • Use a unique Service Principal per environment (dev, staging, prod)

  • Grant only the minimum permissions needed

  • Rotate credentials regularly and never commit them to source control

  • Store secrets in a secure vault (Azure Key Vault, GitHub/Azure DevOps secrets)


References

Tip: For passwordless authentication in CI/CD, consider using OIDC with GitHub Actions or Azure Pipelines.

Last updated