stackoom
  简体   繁体   中英

give access to service principal which is in another azure tenant

 原文  2021-09-24 11:49:29       azure/ azure-active-directory/ terraform/ terraform-provider-azure/ sre

Question

we deploy resources in our Azure tenant through Jenkins which uses terraform to provision infra resources. and we use service principal for authentication and infra provisioning which are in same tenant. in our infra deployment we also create .NET peering with the new .net which get deployed and our central .NET which has all the infra resources like monitoring and logging platform. now we have a use case where by using the same Jenkins and terraform scripts we want to provision resources on different tenant. this can be done by using the service principal of remote tenant. but now issue is service principal of TenantB do not have rights to create.network resources in TenantA . to make this happen service principal of TenantB should have access on .net in TenantA . i am looking for documentation or guidance how we can give access to service principal of TenantB in our TenantA ?

1 answers

solution1
 2 ACCPTED  2021-09-27 10:26:15

  • Hoping that you have created a service principal a service principal using multi-tenant authentication (if single-tenant please change the authentication method to multi-tenant), add a redirect uri https://www.microsoft.com .

在此处输入图像描述

  • After you have created the service principal you can open the below url in a private browser for adding it on another tenant:

     https://login.microsoftonline.com/<Tenant B ID>/oauth2/authorize?client_id=<Application (client in tenant A) ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F

    It will ask for authorization on behalf of organization, you can accept it.

  • After the above is done, then you can login to portal of that tenant and go to enterprise application you will see that, provide role assignment for that subscription (owner/contributor).

在此处输入图像描述

在此处输入图像描述

  • After this is done you can use something like the below terraform script:
provider "azurerm" {
    alias = "tenantA"
    subscription_id = "b83c1ed3-xxxxx-xxxxxx-xxxxxx-xxxxxx" #subid for tenant A
    tenant_id = "72f988bf-xxxxxx-xxxxx-xxxxxxx-xxxxxx"#tenantid of tenant A
    client_id = "f6a2f33d-xxxx-xxxx-xxxxx-xxxxxxxx"#client id of service principal in tenant A
    client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxx"#client secret of service principal in tenant A
    auxiliary_tenant_ids = ["ab078f81-xxxxxx-xxxxxxxx-xxxxxx"]# tenant id of tenant B
    features {}
}

provider "azurerm"{
    alias = "tenantB"
    subscription_id = "88073b30-xxx-xxxxx-xxxxx-xxxxxxx"#sub id of tenant B
    tenant_id = "ab078f81-xxxxx-xxxxxxx-xxxxxxxxx" # tenant id of tenant B
    client_id = "f6a2f33d-xxxx-xxxxxx-xxxxxx-xxxxxx" #client id of service principal in tenant A
    client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxxx" #client secret of service principal in tenant A
    auxiliary_tenant_ids = ["72f988bf-xxxx-xxxxx-xxxxxxxxxx-xx"] # tenant id of tenant A
    features {}
}

data "azurerm_resource_group" "tenantARG"{
    provider = azurerm.tenantA
    name = "reswourcegroup"
}

data "azurerm_resource_group" "tenantBRG"{
    provider = azurerm.tenantB
    name = "ansuman-resourcegroup"
}

data "azurerm_virtual_network" "GlobalVnet"{
    provider = azurerm.tenantA
    name = "ansuman-vnet"
    resource_group_name= data.azurerm_resource_group.tenantARG.name
}

data "azurerm_virtual_network" "tenantBVnet"{
    provider = azurerm.tenantB
    name = "test-vnet"
    resource_group_name= data.azurerm_resource_group.tenantBRG.name
}

resource "azurerm_virtual_network_peering" "example-1" {
    provider= azurerm.tenantA
  name                      = "peer1to2"
  resource_group_name       = data.azurerm_resource_group.tenantARG.name
  virtual_network_name      = data.azurerm_virtual_network.GlobalVnet.name
  remote_virtual_network_id = data.azurerm_virtual_network.tenantBVnet.id
}

resource "azurerm_virtual_network_peering" "example-2" {
    provider = azurerm.tenantB
  name                      = "peer2to1"
  resource_group_name       = data.azurerm_resource_group.tenantBRG.name
  virtual_network_name      = data.azurerm_virtual_network.tenantBVnet.name
  remote_virtual_network_id = data.azurerm_virtual_network.GlobalVnet.id
}

Output:

在此处输入图像描述

Note: In my test case, I have used 2 .nets present in different tenants. I created a service principal in tenant A and provided contributor permissions to it in tenant B using the above methods and then used terraform to perform the .net peering.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure service principal reset Get the AZURE_CREDENTIALS of a Service Principal Terraform - Azure Service Principal deployment - insufficient permissions Permissions required by Azure Service Principal to access App Insight data in a multi subscriptions AD Account Azure Service Principal create new certificate with PowerShell Azure edit a required claim for service principal Azure PowerShell add User or Group to Service Principal Azure Devops Service Principal with Azure Machine Learning Workspace Impersonate Azure Service Principal from a Google Service Account Configure SQL Server with Azure Active Directory Service Principal authentication for Keycloak
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM