1

I know how to create service principal for app registration. However, what is "Azure Service principal account" for read-only Azure access?

The requirement is to execute API or make API call from a framework or run the command for Azure Infra and Service validation.

The additional details:

  1. account with id and secret key?
  2. Account with IAM privilege to read config data from Azure services?
  3. Access to cloud providers API for config validation?

Is there any stpes to do this? It will be really helpful if the above details can be done from Azure portal.

halfer
  • 19,824
  • 17
  • 99
  • 186
AskMe
  • 2,495
  • 8
  • 49
  • 102

1 Answers1

1

On Work around To create the azure service principal for read only access You can try with using the Azure CLI

. The Reader role is more restrictive, with read-only access. For more information on Role-Based Access Control (RBAC) and roles, see this document RBAC: Built-in roles.

When restricting a service principal's permissions, the Contributor role should be removed.

This example adds the Reader role and removes the Contributor role:

az role assignment create --assignee APP_ID --role Reader
az role assignment delete --assignee APP_ID --role Contributor

Note: If your account doesn't have permission to assign a role, you see an error message that your account does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'. Contact your Azure Active Directory admin to manage roles.

Microsoft recommends to use the Contributor role at minimum for a service principal. This role has full permissions to read and write to an Azure account.

For more information refer this Microsoft doc :

ShrutiJoshi-MT
  • 1,622
  • 1
  • 4
  • 9