How to protect Azure Service Principal in your PowerShell Code
Question
Let's say I have my PowerShell code which takes specific actions on my Azure subscription. I understood it has to log into Azure using my Azure username or maybe an Azure Service Principal.
In my case I would like to use a Service Principal because a lot of people are going to use this code and I don't want to give everyone access into my subscription. So I provide access only to this SP.
I realized, to log in using a SP, I need to include the App ID and the Key in my code and if my code is compromised then someone from outside our company could also use the App ID and the Key to log in and do stuff on my subscription.
Is there any way I could protect myself against such security risk? I see there is also a section on Azure AD which I can specify users/groups who can access the Service Principal (Azure App). But will it be more like a double authentication? can you please point me in the right direction?
If you could also share with me some sample code it will be much appreciated.
1 answers
solution1
0 2017-07-27 20:56:04
Honestly, please don't do it this way. Anyone who gains access to the certificate (if you are distributing it with your code) will also have access as the service principal to Azure.
I'd suggest you create an Azure Automation runbook and attach a webhook to it. You could then create a small html file that would execute the runbook (prompting for any parameters that you require). This way, the users can only run the code that you setup (via webhook) and you can cycle the webhook url (by deleting it and recreating a new one) periodically.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.