stackoom
  简体   繁体   中英

How can I find resource group associated with service principal?

 原文  2021-01-18 10:33:35       azure/ azure-pipelines/ azure-service-principal

Question

Problem

I have an azure pipeline YAML file. It is able to run through a service connection which accesses a service principal with all the proper authority, etc.

But I am now trying to clean up the code; we have multiple service principals running on multiple subscriptions and resource groups. They need to create storage accounts, which need to be unique.

So I am trying to create a storage account built partially from the associated subscription and resource group of the service principal creating the storage account.

Example Solution

For the subscription, it is fairly easy. I can do something like this, from within a PowerShell script called inside the pipeline:

$subscriptionId = $(az account show --query 'id' -o tsv)
Write-Output "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;isoutput=true;issecret=true]$subscriptionId"

Now I have the variables $subscription ID and AZURE_SUBSCRIPTION_ID set, and can access subscription information within the pipeline itself.

Question

But how can I do something similar with resource groups?

There is no equivalent to az account show with resource groups, without knowing the resource group name itself. (Eg, I have to type az group show -name <RG-name> , but it is precisely the name that I am trying to get.)

Again, to be clear, I am running inside of a particular resource group and subscription, it is those that are associated with the service connection. Now I simply want that information available to the pipeline.

1 answers

solution1
 2 ACCPTED  2021-01-18 14:00:57

I'm not sure if I completely understand what you are trying to accomplish. But I suspect that the options below might help.

Get role assignments

If you created separate service connections for each individual resource group you can simply check the role assignments for the SPN and determine the scope of the service connection.

If you, for example, use the Azure PowerShell task, you have configured it with a Service Connection. So when the task starts, it has the context of the service principal. You can then do Get-AzRoleAssignment which should output the Resource Groups to which its authorised. Again, this is only useful if you use a service connection per RG, as you otherwise get results for multiple RGs. (Or for subscriptions and Management groups, if you also assigned a role to those scropes)

Use the Azure DevOps API

You can use the Get Service Endpoint request of the Azure DevOps API to get the service connections. The JSON output will contain information regarding the scope of the service connection.

If you find working with the API directly a bit hard, you can try the PSDevOps PowerShell module to interact with the Azure DevOps API. It has the Get-ADOServiceEndpoint command that allows you to get the available service endpoints.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I find the service principal secret of my AKS cluster? How many certificates can be associated with AAD Service Principal? How do I get the ObjectID associated with the authenticated Azure service principal? Where can I find Service Principal GUID from Azure Portal How to view if a resource was created by a Azure service principal? Is it possible to grant permission for create resource group to service principal if no subscriptions are available? How to get thumbprint of the certificate associated with a service principal using Powershell? How can I use Terraform to create a service principal and use that principal in a provider? Azure Resource Manager - How can I change the Resource Group of a Resource? How might I assign a service principal to an AAD group in my hosted VSTS release pipeline using PowerShell?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM